Upload
trinhdat
View
218
Download
1
Embed Size (px)
Citation preview
Critical Embedded Systems for Rail Transport
28/08/13
P.Poisson
Alstom Transport
Bio
• Responsable du programme R&D dans la division Transport –Signalisation- Paris
• Coordinateur du programme de l’IRT SystemX pour Alstom Transport
• Parcours: − Alstom Transport -> ferroviaire − Océ -> Infographie − Schlumberger -> systèmes d’information − Statec -> automatismes industriels
• Compétences: − Informatique industrielle
• Définition des programmes
• Management d’activités R&D
• Process Engineering et outils
• Architecture des systèmes
• Systèmes d’Information
• Automatismes Industriels
2
Pascal Poisson
Embedded systems in Railway domain
Objectives of this presentation:
- Create awareness about the reality and the future of Embedded systems in the rail domain,
- How Engineering efforts can be contained.
Agenda:
• A few words about Rail domain
• Signaling: a large set of complex embedded systems
• Rail systems are safety critical
• Using Formal methods: A way to alleviate V&V activities
• Challenges of today and trends
May 2010
– 4 – Journée SysML – 13 Novembre 2012
Alstom: Four main activities
92,600 employees in 100 countries
Thermal Power sector Equipment & services for power generation
Transport sector Equipment & services for rail transport
Grid sector Equipment & services for power transmission
Renewable Power sector Equipment & services for power generation
– 5 – Journée SysML – 13 Novembre 2012
Alstom Transport, the only railway multi-specialist
• The only manufacturer in the world to master all businesses of rail sector
• The most complete range of systems, equipments and services: Rolling Stock / Infrastructures / Signalling / Services / Turnkey transport systems
• N°1 in high and very high speed
• N°2 in urban transport (tramways, metros)
• N°2 in signalling
• N°2 in maintenance
24,700 employees in more than 60 countries
6
Rail Control market
€12,000 M
8% of Railway market
Rail Control market
Growth 3.0%
Rail: World Wide Maket size
7
8
Embedded systems in Railway domain
Agenda:
A few words about Rail domain
Signaling: a large set of complex embedded systems
Rail systems are safety critical
Using Formal methods: A way to alleviate V&V activities
Challenges of today and trends
May 2010
9
Innovation opportunities in Rail applications
Main Lines Rail roads
Metro Tramways
National and International trafic • Standards first
Urban-Mass Transit • Mostly autonomous Systems • Performance first
• Open door to breakthroughs
10
on board RT systems
• Traction / breaking control
• Various servo-control systems
• Failure detection and maintenance systems
• Assisted or automatic driving –
• Safety management
• Traffic management
August 2008 -11
On board Signaling Systems
@ INTERNET
ACCES CCTV CCTV
MODEM MODEM
@ INTERNET
ACCES TICKETING
MMI
IO
MODULE
IO
MODULE
MODEM MODEM
ANTENNA
ONBOARD
CONTROL
MODULE
ODOMETER
TICKETING
ODOMETER
MMI
ANTENNA
ONBOARD
CONTROL
MODULE
Signaling systems of a train station
12
Topologie du système
de signalisation
Systèmes critiques
Systèmes de communication
Services aux passagers
Systèmes de maintenance
Opérateurs et systèmes de
Supervision
13
• Ensure Comfort of all
users through traffic
supervision, passenger
information,…
• Reduce
operational costs
through traffic and
asset management
What is Signalling ?
Signalling is at the heart of the transport system
• Ensure Safety of people and trains,
thanks to route control & Train
protection management
• Improve Availability of transport offer
PPE CBTC - Introduction - PPA Reminder
14 PPE CBTC - Introduction - PPA Reminder
Reminder: Global operation requirements
Transport efficiently passengers / freight from point A to point B enforcing :
• The appropriate safety level
• The correct route and speed
• The planned schedules
Whatever the conditions :
∙ Traffic density
∙ Perturbations and failures
A
B
15 PPE CBTC - Introduction - PPA Reminder
Aligned with major signalling sub-systems
Priority
Catching each other
Speed
Schedules
Nose to nose
Routes
Block
Speed
Interlocking Automatic Train Control
Control Center
16 PPE CBTC - Introduction - PPA Reminder
Interlocking and Route concept
Priority
Catching each other
Schedules
Nose to nose
Routes Block
Speed
Interlocking
17 PPE CBTC - Introduction - PPA Reminder
Route concept
A route is a path from one signal to the next via a set of points
Interlocking shall ensure compatibility between routes
Route is a compromise as:
• Too few points in a long route reduces potential for other moves when the long route is set
• Too many points, routes are short and many signals are required.
Interlocking
18 PPE CBTC - Introduction - PPA Reminder
To ensure that a route can be set or released, Interlocking uses train detection device to check track occupancy
Route element : Train detection
Junction Box
Pair of wheeldetectors
Axle counterBlock Computer
Block limit
Interlocking
Axles
Track Circuits
Track is divided into electrical sections, with a transmitter and a receiver
Train axles are shunting the rails, preventing the transmitted signal to be detected by the receiver
Axle Counters
Each track section is defined by 2 or more counting heads with wheel detectors
An evaluator unit counts/decounts axles entering/leaving the section
Axle counters deliver the count result to the Interlocking
Track is clear when result is 0
Interlocking
19 PPE CBTC - Introduction - PPA Reminder
ATC and Block concept
Priority
Catching each other
Schedules
Nose to nose
Routes Block
Speed
Automatic Train Control
20 PPE CBTC - Introduction - PPA Reminder
From tokens to blocks
Basic: when a train leaves the station the entire interstation is locked for it
First enhancement, to allow a second train but to keep distance
Second enhancement, to put as much trains as possible
• Hypothesis for sizing the blocks: •Safe distance between two trains should at least equal to the braking distance •Preceeding train is supposed to be stopped •Distance is calculated for the worst case braking
Automatic Train Control
21 PPE CBTC - Introduction - PPA Reminder
Third enhancement, to provide protection (ATP) using Speed Code
From signal blocks with ATP to ATC block
In this case: speed limit is sent from track to train (usually through tracks) • Speed limit is computed automatically according to occupation of preceding blocks • On-board equipment will receive speed limit and control train accordingly if needed • Size of blocks still shall be defined according to braking distance • Train location is still done by trackside
Fourth enhancement, to provide protection (ATP) using « Distance To Go » concept
In this case: the train will target a stopping point that it will not cross • Train received information regarding upfront constraints (signals, blocks….) • Train locates itself on the track (using beacons, odometer…) • On-board computer compute a braking curve not to go past closer constraint
Automatic Train Control
0 km/h
60 km/h 30 km/h
22 PPE CBTC - Introduction - PPA Reminder
Block operation : determines line capacity
• Headway : Blocks determine the “headway” or line throughput of trains
• Each block can detect Trains with its own track circuit or axle counters
• Only 1 Train in each Block
• Red signals mean “Stop”, Yellow light is a warning (depends on IXL principles)
Headway (minutes)
Direction of traffic
Track Circuits
Signal red
Automatic Train Control
23
From Fixed Block to Moving Block
PPE CBTC - Introduction - PPA Reminder
Track Circuit Track Circuit Track Circuit
DISTANCE TO GO
Authorised speed
Stopping point
40 Distance to Go Breaking Curve
Gain
Additional Gain
Automatic Protection CBTC MOVING BLOCK
40 Stopping Point
Moving Block Breaking Curve
40
0
Track Circuit
Speed Code
Speed Code Breaking Curve
Track Circuit Track Circuit
Stopping Point
Speed profile
SPEED CODE
End of Authority
Automatic Train Control
24 PPE CBTC - Introduction - PPA Reminder
Basic Traffic control and schedule
Priority
Catching each other
Schedules
Nose to nose
Routes Block
Speed
Control Center
25 PPE CBTC - Introduction - PPA Reminder
Schedule concept in railways
• Traffic control is needed to optimize use of track by trains
• Traffic control runs train only when route can be set to avoid unexpected delays and traffic jams.
• In metros, trains can run following a time table, or respecting a headway
• In case of perturbation control room operator has to have the possibility to modify the traffic
Control Center
26
Time-table versus Headway
PPE CBTC - Introduction - PPA Reminder
2 min 2 min 3 min 3 min
09:53 10:28 12:05 13:57
2 min
• Regulation based on time-table
• Regulation based on headway
Control Center
27 PPE CBTC - Introduction - PPA Reminder
Conclusion – Signaling basic concepts
To fullfill global needs, rail industry has developed three major concepts:
Control Center
Automatic Train Control
Interlocking
• Route: this is the path that is assigned to a train to go from A to B. Route ensure the basic protection
• Block: this is the concept that permit a safe separation between succeeding trains
• Schedule: this is the concept that permit to make train circulation without stopping for freeing a occupied section of the track
Embedded systems in Railway domain
• Agenda:
• A few words about Rail domain
• Signaling: a large set of complex embedded systems
• Rail systems are safety critical
• Using Formal methods: A way to alleviate V&V activities
• Challenges of today and trends
May 2010
Reference Standard: CENELEC
The EN 50126 standard covers the specification and demonstration of safety for all railway applications, at all levels:
− from complete railway routes − to major systems − to individual and combined sub-systems − to components within these major systems, including those
containing software and hardware.
• the standard also addresses Reliability, Availability, and Maintainability (RAM) when it contributes to Safety.
• EN 50126 is the entry point of parent standard for the other European standards for the railway domain:
− EN 50128: Software, recent update 2011, most constraining − EN 50129: Electronics
Augus008 -29
Safety level is specified
• The safety of a system = the property that the rate of failures with potentially dangerous consequences is low enough to globally reduce the risk (i.e. the probability of injuries, fatalities, damages) to a specified acceptable value.
May 2010
SIL definition ( Safety Integrity Level)
For continuous operation (Probability of Failure per Hour):
SIL PFH PFH (power) RRF
1 0.00001-0.000001 10−5 - 10−6 100,000-1,000,000
2 0.000001-0.0000001
10−6 - 10−7 1,000,000-10,000,000
3 0.0000001-0.00000001
10−7 - 10−8 10,000,000-100,000,000
4 0.00000001-0.000000001
10−8 - 10−9 100,000,000-1,000,000,000
RRF: Risk Reduction Failure
Development Cycle ruled by safety cycle
August 2008 -31
Consider Safety Implications of Project · Review Safety Policy & Safety Targets
Perform Preliminary Hazard Analysis · Establish Safety Plan · Define Tolerability of Risk Criteria
Perform System Hazard & Safety Risk Analysis · Set-Up Hazard Log · Perform Risk Assessment
Specify System Safety Requirements · Define Safety Acceptance Criteria · Define Safety Related Functional Requirements · Establish Safety Management
Implement Safety Plan by Review, Analysis, Testing and Data Assessment, addressing: · Hazard Log · Hazard Analysis & Risk Assessment · Justify Safety Related Design Decisions
Establish Commissioning Program · Implement Commissioning Program · Prepare Application Specific Safety Case
From Generic product to customer case
August 2008 -32
Context: Railway signalling system development
User Need
System specification
Architecture
Design
Implementation
Verification
Validation
Commissioning
Safety critical development process: “Traditional V-Cycle”
Context: Railway signalling system development
Preliminary Hazard Analysis (PHA)
System Hazard Analysis (SHA)
Subsystem Hazard Analysis
Hw / Sw Hazard Analysis
Safety Review
Verification report
Validation report
Certification
Safety critical development process: “Safety Activities”
Assisted safety analysis integrated to the design cycle
May 2010
– 36 – Journée SysML – 13 Novembre 2012
Model Based Approach
System Design with SysML
From document base SE to model based SE
(SysML)
Build DSL for safety activities
(PHA – FMEA)
Safety early validation with formal modelling
(Altarica)
Traceability
– 37 – Journée SysML – 13 Novembre 2012
Specification with SysML
Three viewpoints • Operational • Functional : Activities Hierarchy • Constructional: Blocks Hierarchy
Allocation
Iterative process over the constructional hierarchy
CBTC
ATS IXL ZC CC
CC Vital CC
NonVital
Hw Sw Hw Sw
.
.
.
.
.
.
– 38 – Journée SysML – 13 Novembre 2012
Illustration of System Eng. Concepts in SysML
• Operational viewpoint − Environment of the
system − Context of use
• Functional viewpoint (Function = Activity) − FBS − Functions behaviour
SysML representation of SE concepts
– 39 – Journée SysML – 13 Novembre 2012
Model Based Approach
Safety Process & Safety DSL
From document base SE to model based SE
(SysML)
Build DSL for safety activities
(PHA – FMEA)
Safety early validation with formal modelling
(Altarica)
Traceability
– 40 – Journée SysML – 13 Novembre 2012
Hazards Analysis on SysML System Specification
PHA Accident Cases
ATS – SHA (FMEA) Effects of functions failures
IXL – SHA (FMEA)
ZC – SHA (FMEA)
CC – SHA (FMEA)
CC NV – SHA (FMEA)
CC V – SHA (FMEA)
FMEA Hw
SwEEA
FMEA Hw
SwEEA Causes
Consequences
– 41 – Journée SysML – 13 Novembre 2012
Hazard analysis with the DSL
– 42 – Journée SysML – 13 Novembre 2012
PHA – SHA modelling concepts
PHA
• Identify accident scenarios
SHA
• Exhaustive analysis of all function failures
Products
Functions
BARRIER
reducing the
Accident
Occurence
Operating
Rules
X
Operational
Context
HAZARD X X
BARRIER
reducing the
Accident
Severity
ACCIDENTConsequences of
the ACCIDENT
Conditions
Zone
Mode
Phase
BARRIER
Safety
Requirements
DSL for PHA & SHA interoperable with SysML
– 43 – Journée SysML – 13 Novembre 2012
Model Based Approach
Traceability between SysML and Safety DSL
From document base SE to model based SE
(SysML)
Build DSL for safety activities
(PHA – FMEA)
Safety early validation with formal modelling
(Altarica)
Traceability
– 44 – Journée SysML – 13 Novembre 2012
Traceability inside Safety model : Failure decomposition
Failures at level i+1 are causes of failures at level i
Failures of low level functions develop to system accidents:
System level
Subsystem level
Low level function Sw failure
Accident
Subsys failure
– 45 – Journée SysML – 13 Novembre 2012
Propagation of errors
Error are propagated through dataflow links
An erroneous value as input can be the cause of a failure
– 46 – Journée SysML – 13 Novembre 2012
Model Based Approach
Formal semantic for safety DSL
Automatic translation
From document base SE to model based SE
(SysML)
Build DSL for safety activities
(PHA – FMEA)
Safety early validation with formal modelling
(Altarica)
Traceability
– 47 – Journée SysML – 13 Novembre 2012
Formal semantic for Safety DSL
Why?
− To generate the fault trees, − To compute the sequences, − To preform early validation of the system safety;
What?
− Guarded Transition System: Altarica (Thesis – Point, G. 2000)
How?
− Control flow (event, guard): to model the occurrences of failures, − Data flow: to study errors propagation;
– 48 – Journée SysML – 13 Novembre 2012
Altarica overview
Textual Syntax to describe GTS
(Garded Transition Systems)
• Hierarchy of Nodes
• Node
• Sub-Nodes
• Data Flow connectors (in/out)
• Events
• States
• Transitions
• Assertions http://altarica.labri.fr
– 49 – Journée SysML – 13 Novembre 2012
Translation - Overview
Embedded systems in Railway domain
• Agenda:
• A few words about Rail domain
• Signaling: a large set of complex embedded systems
• Rail systems are safety critical
• Using Formal methods: A way to alleviate V&V activities
• Challenges of today and trends
May 2010
Cenelec: expected production and evidences
May 2010
33 artefacts to produce!
Formal Methods
• Demonstrate mathematically that what is produced is equivalent to the intent and is totally deterministic.
• Various techniques are used:
• e.g.: symbolic analysis ( conversion of an expected behavior into automata where paths from root to leaves can be analyzed thus demonstrating inconsistencies or under specifications
• In this session B language is briefly introduced
August 2008 -52
53
Analyse symbolique: synoptique fonctionnel
– 54 – MBAT
Concretely – Step 1
• Specify the system architecture using composite structures
• Specify interactions between components using sequence diagrams
– 55 – MBAT
Concretely – Step 1
• Specify the system architecture using composite structures
• Specify interactions between components using sequence diagrams • Combining operators • Data constraint • Timed constraint
– 56 – MBAT
Concretely – Step 12
• Specify the system architecture using composite structures
• Specify interactions between components using sequence diagrams • Combining operators • Data constraint • Timed constraint
• Translate into a formal
representation (Timed Input Output Symbolic Transition System) – Seamless integration
– 57 – MBAT
Concretely – Step 23
• Specify the system architecture using composite structures
• Specify interactions between components using sequence diagrams • Combining operators • Data constraint • Timed constraint
• Translate into a formal
representation (Timed Input Output Symbolic Transition System) – Seamless integration
• Symbolic execution and projection
A non empty trace ensures a feasible interface
– 58 – MBAT
Concretely – Step 34 • Specify the system architecture using composite structures
• Specify interactions between components using sequence diagrams • Combining operators • Data constraint • Timed constraint
• Translate into a formal
representation (Timed Input Output Symbolic Transition System) – Seamless integration
• Symbolic execution and projection
• Generate test input sequence for a given component from unitary behavior
– 59 – MBAT
Test execution algorithm (process)
1. Submit to SUT (System Under Test) a sequence of inputs and waiting delays
2. Test execution on SUT produces output sequence and delays
3. Output sequences is merged with input sequences to form input output traces
4. Resulting traces are analyzed in order to provide verdicts
C2
timed input sequence timed output sequence
merge():
timed input-output sequence
C2
<0.5 ms
verdict computation():
• Pass
• WeakPass
• Inconc
• Fail
Diversity Testbed (industrial environment)
Présentation de la méthode B
August 2008 -60
Positionnement du B Système ( Event B)
August 2008 -61
Positionnement du B logiciel
August 2008 -62
Références B Logiciel
August 2008 -63
Références Event B
August 2008 -64
Notion de base
August 2008 -65
Démarche B-Logiciel
August 2008 -66
Principe de preuve
August 2008 -67
Démarche B-Système
August 2008 -68
Cycle de conception traditionnel
August 2008 -69
Cycle de conception B : Validation par preuves formelles
August 2008 -70
Bénéfice de la méthode
August 2008 -71
Comparaison avec d’autres langages
August 2008 -72
Outils de conception
August 2008 -73
Enseignement du B
August 2008 -74
Embedded systems in Railway domain
• Agenda:
• A few words about Rail domain
• Signaling: a large set of complex embedded systems
• Rail systems are safety critical
• Using Formal methods: A way to alleviate V&V activities
• Challenges of today and trends
May 2010
FSF
Deux thématiques:
Plateforme d’exécution Haut niveau d’exigence RAMS
Maitrise de l’exécution d’applicatifs multi-critiques sur multi-cœur
Pré-certification
Démonstrateur préindustriel (TRL 6)
Conception système/logiciel Cadre d’architecture système en adéquation avec les métiers
Conception software composant avec chaine de génération dédié au déploiement sur la plateforme
Validation et vérification continue
Outils et cadres méthodologiques matures (TRL 5 -> 7)
Objectifs
76
Signaling system is a combining of distributed systems in a system of systems
77
CBTC
• Une plateforme d’exécution avec architecture de sécurité • Un produit « logiciel de contrôle embarqué » avec composants de criticités différentes
Contrôle & opération
IXL Supervision
SIL4 exec. product
IXL software
SIL2 exec.
product
supervision software
SIL4 exec. product
C&O software
embarqué
SIL4 exec.
ctrl software
sol
ATO ATP
AP
A new generation of Systems is born: Cooperation of Autonomous Systems
May 2010
…..With an ultimate goal to get autonomous vehicles moving towards their destination in an optimized traffic
May 2010
Alike cars in traffic, each train can keep a safe distance from the vehicle in front, and trace its route to reach the destination in time…. safely
Des défis passionnants en vue…..
• Les systèmes ferroviaires sont en pleine mutation.
• Les systèmes embarqués devront porter l’intelligence de la mobilité des véhicules en sûreté de fonctionnement.
• La complexité résultante nécessite un environnement Engineering à la hauteur des challenges industriels
• La multimodalité et les ouvertures du marché vont accroitre les besoins
May 2010
• Questions
May 2010
www.alstom.com