Embed Size (px)
DESCRIPTION
The slides are relative to the presentation of the omonymous paper at the 30th International Conference on Computer Safety, Reliability and Security (Safecomp 2011).This paper is about the generation of formal models form high level specification for the evaluation of maintenance on critical computer based systems.
Citation preview
Model-driven availability Model-driven availability evaluation of railway control evaluation of railway control
systemssystemsSimona Bernardi, Francesco Flammini, Stefano
Marrone,
Josè Merseguer, Camilla Papa, Valeria Vittorini
SAFECOMP 2011
September 19-22, 2011
Naples, Italy
OutlineOutline
Improving maintainabilityModel Driven modeling & evaluationImproving MARTE-DAMGenerating formal modelsThe Radio Block Centre case studyFuture directions
S. Marrone – Model-driven availability evaluation of railway control system 2
Improving maintainabilityImproving maintainability
S. Marrone – Model-driven availability evaluation of railway control system 3
BTS
RBC
WAN
EVCRTM BTM
TIU
DMI
Mobile Terminal
DRIVER
TRAIN
Balise Group
Movement Authorities & Static Speed Profiles
BaliseTelegram
Legend- RBC: Radio Block Center- WAN: Wide Area Network- IXL: Interlocking- BTS: Base Transceiver Station- DMI: Driver Machine Interface- EVC: European Vital Computer- RTM: Radio Transmission Module- TIU: Train Interface Unit- BTM: Balise Transmission Module
Position Reports
TracksideMan Machine Interface
Balise
IXL
Adjacent RBCs
Track Circuits
Track conditions
Hand-Overrelations
European Railway Traffic Management System / European Train Control System: a railway control standard ensuring performance, safety, reliability and interoperability in Europe
At Level 2, the Radio Block Center (RBC) manages train separation, by sending Movement Authorities radio messages to European Vital Computers (EVC) on the base of train Position Reports and Interlocking information
The EVC protects train movement by computing and supervising a safe speed profile
U=10-6
Improving maintainabilityImproving maintainability
Very high heterogeneityAbout 50% of human errors are in
meaintenance
S. Marrone – Model-driven availability evaluation of railway control system 4
San Diego blackout (2011) Birgenair Flight 301 (2006)
Improving maintainabilityImproving maintainability
Critical systems need quantitative evaluation of maintainability
Formal methods & industrial needs◦ Certification◦ Early phases of lifecycle◦ Integration in assessed development
processes◦ Simplicity of application
Still waiting for a miracle!S. Marrone – Model-driven availability evaluation of railway control system 5
Model Driven modeling & Model Driven modeling & evaluationevaluation
Model Driven Engineering promises:◦ to increase productivity in
software/systems development◦ to make formal methods more pervasive
in industrial contextsTwo pillars:
◦ Language Engineering◦ Model transformations
S. Marrone – Model-driven availability evaluation of railway control system 6
Model Driven modeling & Model Driven modeling & evaluationevaluation
S. Marrone – Model-driven availability evaluation of railway control system 7
High level modeling (system & requirements):Improvement of existing UML profilesDSLs definition
….M2M transformations application in order to generate formal sub models (PNs, FTs, QNs, BNs, etc)
Sub models integration by interfaces and compositional operators
M1 Mn…..
Level 1M2M
Level 2 M2M
Improving MARTE-DAMImproving MARTE-DAM
MARTE-Dependability Availability Maintenance
Improvements◦ Fault tolerance◦ Maintenance
S. Marrone – Model-driven availability evaluation of railway control system 8
Improving MARTE-DAMImproving MARTE-DAM
S. Marrone – Model-driven availability evaluation of railway control system 9
Improve modeling of K-out-of-N structures
Improving MARTE-DAMImproving MARTE-DAM
S. Marrone – Model-driven availability evaluation of railway control system 10
Trigger events that start maintenance
actions
Complex maintenance actions are
accomplished by teams
Maintainers are not all the
same!
Repairable Fault TreesRepairable Fault Trees
Implicit multi-formalism/multi-solution application
The RFT formalism supports any articulated repair policy
Iterative evaluation of (repairable) subtrees to enhance solving efficiency
Solvers: SHARPE + GreatSPN
S. Marrone – Model-driven availability evaluation of railway control system 11
Generating formal modelsGenerating formal models
S. Marrone – Model-driven availability evaluation of railway control system 12
Software (and systems) crisis is just evolving...
New way to reuse artifacts must be searched!!
Model Driven Engineering is not the silver bullet
Generating formal modelsGenerating formal models
Languages inheritance may induce Transformations inheritance
S. Marrone – Model-driven availability evaluation of railway control system 13
Module superposition
Generating formal modelsGenerating formal models
S. Marrone – Model-driven availability evaluation of railway control system 14
The Radio Block Centre case The Radio Block Centre case studystudy
S. Marrone – Model-driven availability evaluation of railway control system 15
The Radio Block Centre case The Radio Block Centre case studystudy
S. Marrone – Model-driven availability evaluation of railway control system 16
The Radio Block Centre case The Radio Block Centre case studystudy
S. Marrone – Model-driven availability evaluation of railway control system 17
Future directionsFuture directions
More complex repair scenariosExplicit multiformal model generationOptimal maintenance procedure
findingQuantitative evaluation of safety
properties by RFTs & Model Checking
S. Marrone – Model-driven availability evaluation of railway control system 18
