Verifizierbare Entwicklung eines satellitenbasierten Zugsicherungssystems mit Petrinetzen

Nowadays model-based techniques are widely used in system design and development, especially for safety-critical systems such as train control systems. Given a design model, executable codes could be generated automatically from the model following certain transformation rules. A high-quality model of a system provides a good understanding, a favourable structure, a reasonable scale and abstraction level as well as realistic behaviours with respect to the concurrent operation of independent subsystems. Motivated by this principle, a first Coloured Petri Net (CPN) model of a satellite-based train control system (SatZB) with the capability of continuous simulation is developed employing the BASYSNET method which adopts Petri nets as the means of description during the whole development process. After establishing the system model, the verification tasks are identified based on the hazard analysis of the train control system. To verify the identified tasks for quality assurance, verification by means of simulation, formal analysis and testing is carried out considering the four representing system properties: function, state, structure and behaviour. For structural analysis, the concept of open nets is proposed to check the reproducibility of empty markings of scenario nets, the existence of dead transitions in the scenario nets, and the terminating states of the scenario nets. The system behaviour, in which states are involved, is investigated by reachability analysis. Unlike the conventional method of reachability analysis by calculating the state space of the Petri net, techniques based on Petri net unfoldings are introduced in this thesis. As to the functional verification, two model-based test generation techniques, i.e., CPN-based and SPENAT (Safe Place Transition Nets with Attributes)-based techniques, are presented. In this thesis, the proposed methods are exemplified by the application to the on-board module of SatZB model. According to the verification results, no errors were found in the module. Therefore, the confidence in the quality of the on-board module has been significantly increased.Heutzutage werden in zahlreichen Anwendungen modellbasierte Techniken zur Systementwicklung, insbesondere für sicherheitskritische Systeme wie Eisenbahnleit- und -sicherungssysteme, verwendet. Aus einem Design Modell kann dabei ausführbarer Code automatisch nach bestimmten Transformationsregeln generiert werden. Ein hochwertiges Modell des Systems bietet für die Entwicklung ein gutes Verständnis, eine günstige Struktur, eine angemessene Größenordnung und Abstraktionsebene als auch realistische Verhaltensweisen in Bezug auf den gleichzeitigen Betrieb von unabhängigen Subsystemen. Motiviert von dieses Prinzip wird ein erstes Farbige Petri-Netz (CPN)-Modell eines satellitenbasierten Zugsicherungssystem (SatZB) unter Verwendung der BASYSNET Methode entwickelt, der Petri-Netze als Beschreibungsmittel während des gesamten Entwicklungsprozesses nutzt. Dieses Modell bietet die Möglichkeit zur kontinuierlichen Simulation des Systemverhaltens. Nach der Erstellung des Systemmodells werden die Verifikationsaufgaben auf der Grundlage der Gefährdungsanalyse des Zugsicherungssystems identifiziert. Die abgeleiteten Bedingungen werden zur Qualitätssicherung durch Simulation, formale Analysen und Tests unter Berücksichtigung der vier Systemeigenschaften (Funktion, Zustand, Struktur und Verhalten) verifiziert. Für die Strukturanalyse wird das Konzept der offenen Netzen vorgeschlagen, um die Reproduzierbarkeit der leeren Markierungen der Szenario-Netze, die Existenz der Toten Transitionen in den Szenario-Netze, und die Abschluss Zustände der Szenario-Netze zu prüfen. Das Systemverhalten wird dabei durch Zustände beschrieben und durch eine Erreichbarkeitsanalyse untersucht. Im Gegensatz zu der konventionellen Methode, welche die Erreichbarkeit durch die Berechnung des Zustandsraums des Petri-Netzes analysiert, werden in dieser Arbeit Techniken auf Basis von Petri-Netz-Entfaltung eingeführt. Für die funktionale Verifikation werden zwei modellbasierte Testgenerierungstechniken, eine CPN-basierte und eine SPENAT (Sicheres Petrinetz mit Attributen)-basierte, vorgestellt. In dieser Arbeit werden die vorgeschlagenen Methoden durch die Anwendung auf das On-Board-Modul des SatZB-Modells veranschaulicht. Dabei wurden nach dem Abschluss der Prüfungen keine Fehler im Modul gefunden, wodurch das Vertrauen in die Qualität des On-Board-Moduls deutlich erhöht wurde

Transformación de diagramas de comportamiento a modelos de concurrencia

Este Trabajo Fin de Grado explora el uso de transformaciones de modelos de máquinas de estados a redes de Petri estocásticas generalizadas en el entorno de desarrollo de ingeniería de rendimiento software, y detalla la creación de una implementación del estudio teórico en una plataforma de desarrollo de software popular a través de ingeniería orientada a modelos. El estudio teórico se centrará en el tipo de modelos de concurrencia conocido como redes de Petri. Este modelo permite describir los modelos de comportamiento de sistemas comunes mediante diagramas abiertos a extracción de métricas y análisis, ampliando los horizontes de diseño de autómatas de estados finitos, una de las representaciones de comportamiento de sistemas más comúnmente utilizadas. Dichas transformaciones pues, conservarán todas propiedades del diagrama de modelado de la máquina de estados, añadiendo las ventajas del nuevo formalismo, así como útiles adicionales como medidas temporales y de control de recursos. La implementación buscará la maximización de la accesibilidad y agilidad de descripción de los sistemas diseñados por el usuario y facilitándole acceso a plataformas de análisis más completos sin requerir complejos diseños iniciales. El desarrollo de la aplicación estará basado en herramientas de desarrollo de software establecidas como el sistema de transformaciones de modelos ATL, desarrollada por la compañía vendedora de herramientas de software francesa OBEO y el Instituto Nacional francés de Investigación en Informática y Automática; el generador de código y plantillas Acceleo, desarrollado por la Fundación Eclipse; así como herramientas para el manejo de redes estocásticas de análisis como GreatSPN, desarrollada por la Universidad de Turín. Con estas herramientas estandarizadas, la aplicación marcará como objetivo ser lo más modular posible y compatible con otras, permitiendo expansiones del proyecto o acoplamiento a otros proyectos de mayor escala

Performance Evaluation of Train Moving-Block Control

In moving block systems for railway transportationa central controller periodically communicates to the train how far it can safely advance.On-board automatic protection mechanisms stop the train if no message is received during a given time window.In this report we consider as reference a typical implementation of moving-block control for metro and quantify the rate of spurious Emergency Brakes (EBs), i.e.~of train stops due to communication losses and not to an actual risk of collision. Such unexpected EBs can happen at any point on the track and are a major service disturbance. Our general formula for the EB rate requires a probabilistic characterization of losses and delays. We derive an exact formula for the case of homogeneous and independent packet losses and we use the results of this analysis to design an efficient Monte Carlo method that takes into account correlated losses due to handovers. We validate our approach via discrete-event simulations, including simulations with ns-3 for which we have developed additional modules for train systems.Our approach is computationally efficient even when emergency brakes are very rare (as they should be) and can no longer be estimated via discrete-event simulations

Business optimization through automated signaling design

M.Ing. (Engineering Management)Abstract: Railway signaling has become pivotal in the development of railway systems over the years. There is a global demand for upgrading signaling systems for improved efficiency. Upgrading signaling systems requires new signaling designs and modifications to adjacent signaling systems. The purpose of this research is to compare manually produced designs with design automation by covering the framework of multiple aspects of railway signaling designs in view of business optimization using computer drawings, programming software language and management of signaling designs. The research focuses on design automation from the preliminary design stage to the detailed design stage with the intention of investigating and resolving a common project challenge of time management. Various autonomous methods are used to seek improvement on the detailed design phase of re-signaling projects. An analysis on the project’s duration, resources and review cycles is conducted to demonstrate the challenges that are faced during the design of a project. Signaling designs are sophisticated and crucial in an ever-changing railway environment. As a result, there is a demand for efficiency and knowledge within railway signaling to achieve successful completion project target dates. A quantitative approach is used to identify the gaps leading to delays and best practices are applied using a comparative analysis to remediate on any snags that may potentially extend the project duration. The results illustrate that the resources required when automating detailed designs are reduced by two thirds for cable plans and book of circuits and reduced by one third for source documents. Successively, the projects benefit with reduced organizational resources, reduced design durations and reduced design review cycles. This research concludes that software integration of the signaling designs due to the efficiency and innovation of the selected computer drawing software and programming software language such as AutoCAD required less resources for computer drawings that are generated using automation tools compared to computer drawings that are generated manually. The resources required when automating the generation of signaling detailed designs are reduced for cable plans, book of circuits and source documents. This means that the business is optimized by utilizing less resources and subsequently delays are reduced during the design stage

Modélisation conjointe de la sûreté et de la sécurité pour l’évaluation des risques dans les systèmes cyber-physiques

Cyber physical systems (CPS) denote systems that embed programmable components in order to control a physical process or infrastructure. CPS are henceforth widely used in different industries like energy, aeronautics, automotive, medical or chemical industry. Among the variety of existing CPS stand SCADA (Supervisory Control And Data Acquisition) systems that offer the necessary means to control and supervise critical infrastructures. Their failure or malfunction can engender adverse consequences on the system and its environment.SCADA systems used to be isolated and based on simple components and proprietary standards. They are nowadays increasingly integrating information and communication technologies (ICT) in order to facilitate supervision and control of the industrial process and to reduce exploitation costs. This trend induces more complexity in SCADA systems and exposes them to cyber-attacks that exploit vulnerabilities already existent in the ICT components. Such attacks can reach some critical components within the system and alter its functioning causing safety harms.We associate throughout this dissertation safety with accidental risks originating from the system and security with malicious risks with a focus on cyber-attacks. In this context of industrial systems supervised by new SCADA systems, safety and security requirements and risks converge and can have mutual interactions. A joint risk analysis covering both safety and security aspects would be necessary to identify these interactions and optimize the risk management.In this thesis, we give first a comprehensive survey of existing approaches considering both safety and security issues for industrial systems, and highlight their shortcomings according to the four following criteria that we believe essential for a good model-based approach: formal, automatic, qualitative and quantitative and robust (i.e. easily integrates changes on system into the model).Next, we propose a new model-based approach for a safety and security joint risk analysis: S-cube (SCADA Safety and Security modeling), that satisfies all the above criteria. The S-cube approach enables to formally model CPS and yields the associated qualitative and quantitative risk analysis. Thanks to graphical modeling, S-cube enables to input the system architecture and to easily consider different hypothesis about it. It enables next to automatically generate safety and security risk scenarios likely to happen on this architecture and that lead to a given undesirable event, with an estimation of their probabilities.The S-cube approach is based on a knowledge base that describes the typical components of industrial architectures encompassing information, process control and instrumentation levels. This knowledge base has been built upon a taxonomy of attacks and failure modes and a hierarchical top-down reasoning mechanism. It has been implemented using the Figaro modeling language and the associated tools. In order to build the model of a system, the user only has to describe graphically the physical and functional (in terms of software and data flows) architectures of the system. The association of the knowledge base and the system architecture produces a dynamic state based model: a Continuous Time Markov Chain. Because of the combinatorial explosion of the states, this CTMC cannot be exhaustively built, but it can be explored in two ways: by a search of sequences leading to an undesirable event, or by Monte Carlo simulation. This yields both qualitative and quantitative results.We finally illustrate the S-cube approach on a realistic case study: a pumped storage hydroelectric plant, in order to show its ability to yield a holistic analysis encompassing safety and security risks on such a system. We investigate the results obtained in order to identify potential safety and security interactions and give recommendations.Les Systèmes Cyber Physiques (CPS) intègrent des composants programmables afin de contrôler un processus physique. Ils sont désormais largement répandus dans différentes industries comme l’énergie, l’aéronautique, l’automobile ou l’industrie chimique. Parmi les différents CPS existants, les systèmes SCADA (Supervisory Control And Data Acquisition) permettent le contrôle et la supervision des installations industrielles critiques. Leur dysfonctionnement peut engendrer des impacts néfastes sur l’installation et son environnement.Les systèmes SCADA ont d’abord été isolés et basés sur des composants et standards propriétaires. Afin de faciliter la supervision du processus industriel et réduire les coûts, ils intègrent de plus en plus les technologies de communication et de l’information (TIC). Ceci les rend plus complexes et les expose à des cyber-attaques qui exploitent les vulnérabilités existantes des TIC. Ces attaques peuvent modifier le fonctionnement du système et nuire à sa sûreté.On associe dans la suite la sûreté aux risques de nature accidentelle provenant du système, et la sécurité aux risques d’origine malveillante et en particulier les cyber-attaques. Dans ce contexte où les infrastructures industrielles sont contrôlées par les nouveaux systèmes SCADA, les risques et les exigences liés à la sûreté et à la sécurité convergent et peuvent avoir des interactions mutuelles. Une analyse de risque qui couvre à la fois la sûreté et la sécurité est indispensable pour l’identification de ces interactions ce qui conditionne l’optimalité de la gestion de risque.Dans cette thèse, on donne d’abord un état de l’art complet des approches qui traitent la sûreté et la sécurité des systèmes industriels et on souligne leur carences par rapport aux quatre critères suivants qu’on juge nécessaires pour une bonne approche basée sur les modèles : formelle, automatique, qualitative et quantitative, et robuste (i.e. intègre facilement dans le modèle des variations d’hypothèses sur le système).On propose ensuite une nouvelle approche orientée modèle d’analyse conjointe de la sûreté et de la sécurité : S-cube (SCADA Safety and Security modeling), qui satisfait les critères ci-dessus. Elle permet une modélisation formelle des CPS et génère l’analyse de risque qualitative et quantitative associée. Grâce à une modélisation graphique de l’architecture du système, S-cube permet de prendre en compte différentes hypothèses et de générer automatiquement les scenarios de risque liés à la sûreté et à la sécurité qui amènent à un évènement indésirable donné, avec une estimation de leurs probabilités.L’approche S-cube est basée sur une base de connaissance (BDC) qui décrit les composants typiques des architectures industrielles incluant les systèmes d’information, le contrôle et la supervision, et l’instrumentation. Cette BDC a été conçue sur la base d’une taxonomie d’attaques et modes de défaillances et un mécanisme de raisonnement hiérarchique. Elle a été mise en œuvre à l’aide du langage de modélisation Figaro et ses outils associés. Afin de construire le modèle du système, l’utilisateur saisit graphiquement l’architecture physique et fonctionnelle (logiciels et flux de données) du système. L’association entre la BDC et ce modèle produit un modèle d’états dynamiques : une chaîne de Markov à temps continu. Pour limiter l’explosion combinatoire, cette chaîne n’est pas construite mais peut être explorée de deux façons : recherche de séquences amenant à un évènement indésirable ou simulation de Monte Carlo, ce qui génère des résultats qualitatifs et quantitatifs.On illustre enfin l’approche S-cube sur un cas d’étude réaliste : un système de stockage d’énergie par pompage, et on montre sa capacité à générer une analyse holistique couvrant les risques liés à la sûreté et à la sécurité. Les résultats sont ensuite analysés afin d’identifier les interactions potentielles entre sûreté et sécurité et de donner des recommandations

Towards a Model-Centric Software Testing Life Cycle for Early and Consistent Testing Activities

The constant improvement of the available computing power nowadays enables the accomplishment of more and more complex tasks. The resulting implicit increase in the complexity of hardware and software solutions for realizing the desired functionality requires a constant improvement of the development methods used. On the one hand over the last decades the percentage of agile development practices, as well as testdriven development increases. On the other hand, this trend results in the need to reduce the complexity with suitable methods. At this point, the concept of abstraction comes into play, which manifests itself in model-based approaches such as MDSD or MBT. The thesis is motivated by the fact that the earliest possible detection and elimination of faults has a significant influence on product costs. Therefore, a holistic approach is developed in the context of model-driven development, which allows applying testing already in early phases and especially on the model artifacts, i.e. it provides a shift left of the testing activities. To comprehensively address the complexity problem, a modelcentric software testing life cycle is developed that maps the process steps and artifacts of classical testing to the model-level. Therefore, the conceptual basis is first created by putting the available model artifacts of all domains into context. In particular, structural mappings are specified across the included domain-specific model artifacts to establish a sufficient basis for all the process steps of the life cycle. Besides, a flexible metamodel including operational semantics is developed, which enables experts to carry out an abstract test execution on the modellevel. Based on this, approaches for test case management, automated test case generation, evaluation of test cases, and quality verification of test cases are developed. In the context of test case management, a mechanism is realized that enables the selection, prioritization, and reduction of Test Model artifacts usable for test case generation. I.e. a targeted set of test cases is generated satisfying quality criteria like coverage at the model-level. These quality requirements are accomplished by using a mutation-based analysis of the identified test cases, which builds on the model basis. As the last step of the model-centered software testing life cycle two approaches are presented, allowing an abstract execution of the test cases in the model context through structural analysis and a form of model interpretation concerning data flow information. All the approaches for accomplishing the problem are placed in the context of related work, as well as examined for their feasibility by of a prototypical implementation within the Architecture And Analysis Framework. Subsequently, the described approaches and their concepts are evaluated by qualitative as well as quantitative evaluation. Moreover, case studies show the practical applicability of the approach

A Model-Driven Methodology for Critical Systems Engineering

Model-Driven Engineering (MDE) promises to enhance system development by reducing development time, and increasing productivity and quality. MDE is gaining popularity in several industry sectors, and is attractive also for critical systems where they can reduce efforts and costs for verification and validation (V&V), and can ease certification. This thesis proposes a novel model-driven life cycle that is tailored to the development of critical railway systems. It also integrates an original approach for model-driven system validation, based on a new model named Computation Independent Test model (CIT). Moreover, the process supports the Failure Modes and Effect Analysis (FMEA), with a novel approach to conduct Model-Driven FMEA, based on custom SysML Diagram, namely the FMEA Diagram, and Prolog. The approaches have been experimented in multiple real-world case studies, from railway and automative domains