Engineering for Critical Systems: The Automatic Train Operation over European Train Control System for Freight Trains Use Case

simon collart-dutilleul; philippe bon; racem bougacha; régine laleau

Outline

Acadlore takes over the publication of IJTDI from 2025 Vol. 9, No. 4. The preceding volumes were published under a CC BY 4.0 license by the previous owner, and displayed here as agreed between Acadlore and the previous owner. ✯ : This issue/volume is not published by Acadlore.

Open Access

Research article

Engineering for Critical Systems: The Automatic Train Operation over European Train Control System for Freight Trains Use Case

simon collart-dutilleul¹^*

,

philippe bon¹

,

racem bougacha¹

,

régine laleau²

¹

COSYS/ESTAS, Université Gustave Eiffel, 59650 Villeneuve d’Ascq, France

²

LACL, Université Paris-Est Créteil, 94010 Créteil Cedex, France

International Journal of Transport Development and Integration

|

Volume 7, Issue 4, 2023

|

Pages 311-320

https://doi.org/10.18280/ijtdi.070405

Received: 02-20-2023,

Revised: 06-11-2023,

Accepted: 06-18-2023,

Available online: 12-27-2023

View Full Article|

Download PDF

Abstract:

Fulfilling norms is a way to respect all the safety properties embedded in norm specifications. Moreover, it provides interoperability qualities that are particularly relevant in the transport domain. The article proposes a modelling engineering approach using a semi-formal model phase to identify a multilayered decomposition of the system with domain experts. Then a transformation into formal models is used in order to verify and validate the behaviour with technical and safety experts. Propositions are illustrated on a case study from the transport domain: Automatic Train Operation (ATO) over European Train Control System (ETCS), also named AoE, for freight trains. ATO under the supervision of a human driver is sometimes presented as a first step toward autonomous train. This paper provides a system analysis of the available norms dealing with automatic train operation under driver supervision. The work focuses on the collaboration between an automatic software for braking and accelerating in the European normative and technological context, known as AoE. From the study of the available documents, we derive an architectural model of this global system containing on board automation and on track automated specific devices. The technical contribution is a proposition of an approach specifying a correct-by-construction software system. This software component respects the industrial norms of automated train. We explain how it is relevant to use a norm-based technical architecture, that allow drivers to identify various functioning phases where, depending on the overall context, they can let an automatic system drive the train or not.

Keywords: Model engineering, Formal method, European Railway Train Management System (ERTMS), Automatic Train Operation (ATO), ATO over ETCS (AoE), Grade of Automation (GoA), Autonomous freight train

1. Introduction

An ISO standard is the result of a process ensuing from an international industrial consensus. The norm provides a specification, the quality of which is ensured by international experts and may detail the mean to ensure a correct implementation of a given standard. To provide an example in the railway domain, the behavioural specification for the European Vital Computer (EVC) is documented in Subset 26 [1], but the mean for checking this subset fulfilment can be found in Subset 76 [2]. This last subset provides a set of test scenarios that have to be performed successfully, whereas a test bench specification is available in Subset 94 [3]. The European Commission required that corresponding tests have to be executed by independent test laboratories and a way for these independent laboratories to validate their ability is to be evaluated by a national accreditation office in charge of the respect of the ISO/IEC 17025 (https://www.boutique.afnor.org/en-gb/standard/iso-iec-170252017/general-requirements-for-the-competence-oftesting-and-calibration-laborato/xs129227/127779) norm. The global framework for EVC assessment is industrially running for many years. It is also efficient, but expensive because of the use of test benches belonging to external laboratories. Moreover, when the technical system becomes more complex, the quantity of tests exceeds, in the case of Subset 26 conformance, the quantity of 800 tests that must be performed on the real EVC. Considering that there are no laboratories for independent EVC testing in Netherlands, it is obvious that additional constraints introduced in the industrial process are heavy and expensive. In this paper another approach, to assess conformity to norms, is proposed. It transforms a model specifying the required behaviour into a formalism that allows generating byte code or source code in such a way that a continuous certified workflow produces the software, ensuring the required properties.

Section 2 explains step by step the global model engineering methodology while discussing the potential added value of norm modelling, providing examples relative to the railway domain. In Section 3, the methodology is partly illustrated on a case study. This case study is documented using normative or pre-normative documents and the main objects are identified and exploited in order to provide a set of software entities that may be used to build software services. Section 4 provides some conclusions and prospects concerning the remaining unsolved methodological, technical and scientific deadlocks.

2. Model Engineering Methodology

3. Case Study

4. Conclusion and Future Work

The paper proposes an alternative approach to model-based testing. Starting from a SysML model, the main architectural assumptions of the considered system may be formally validated through invariant fulfilment of an Event-B model. Moreover, a refinement link, for a particular implementation of the considered specification and a given model of the norm, contributes to the global conformity. A railway case study is provided in order to illustrate the methodology. It consists of using an automatic operation system over ETCS, while a driver is in charge of safety relevant operations. Analyzing normative documents, assumptions of functioning are explained in a first part of the paper. In a second part, a SysML model of the higher levels of the architecture is described. This SysML model is expressed in a dedicated profile and then transformed into Event-B specifications. This paper presents the main elements of an approach which is correct-by-construction. Applying the systematic multi-layered approach of the study [28] on the AoE case study may provide a more relevant document for software engineering scientist. It may provide an illustration of the methodology on a real size example. Moreover, this application may be used as a benchmark to evaluate concurrent tools and approaches promoted by the scientific community. Following this point of view, it may be useful to present a system analysis built directly on Subset 125 [19]. The case study of the presented paper is an extended version of a railway conference paper [20] presenting AoE as a building brick towards GoA4 autonomous trains. This aspect is not developed any more in the current document, but the underlying vision of this previous paper should be adapted to a wider audience than transport scientists. Starting from this context, the full specification of the methodology application on this case study is published (https://github.com/RacemBougacha/ATO-over-ETCS.git). In order to apply a KAOS methodology [32], it is obvious that further work concerning model engineering are needed. Considering a real size application, a tooled framework assisting the alignment process between high level goals and architecture component would be a precious help. Finally, the added value of the proposed alternative to classical model-based testing still needs to be evaluated from a scientific and technological point of view. Among other points, the reliability of the transformation process, promoted by the current study, is a critical point where formal proofs can contribute efficiently [33].

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

References

[1] SUBSET-026: System Requirements Specification. Std, UNISIG. (2016).

[2] SUBSET-076-6-3: Test Sequences, Version 3.0.0. Std, European Railway Agency. (2015).

[3] SUBSET-094: Functional Requirements for an On-Board Reference Test Facility, Version 3.0.0. Std, European Railway Agency. (2014).

[4] Collart-Dutilleul, S., Pereira, D.I.D.A., Bon, P. (2022). Designing operating rules for ERTMS transnational lines. In: Collart-Dutilleul, S. (eds) Operating Rules and Interoperability in Trans-National High-Speed Rail. Springer, Cham. [Crossref]

[5] Bernabé, C.H., Silva Souza, V.E., Almeida Falbo, R.D., Guizzardi, R.S.S., Silva, C. (2019). GORO 2.0: Evolving an ontology for goal-oriented requirements engineering. In: Guizzardi, G., Gailly, F., Suzana Pitangueira Maciel, R. (eds) Advances in Conceptual Modeling. ER 2019. Lecture Notes in Computer Science(), 11787. Springer, Cham. [Crossref]

[6] Debbech, S., Bon, P., Dutilleul, S.C. (2019). Towards semantic interpretation of goal-oriented safety decisions based on foundational ontology. Journal of Computers, 14(4): 257–267, 2019. [Crossref]

[7] Delligatti, L. (2013). SysML Distilled: A Brief Guide to the Systems Modeling Language. Addison-Wesley.

[8] Bernardi, S., Donatelli, S., Merseguer, J. (2002). From UML sequence diagrams and statecharts to analysable petri net models. In Proceedings of the 3rd International Workshop on Software and Performance, pp. 35-45. [Crossref]

[9] Trowitzsch, J., Zimmermann, A. (2006). Using UML state machines and Petri nets for the quantitative investigation of ETCS. In Proceedings of the 1st International Conference on Performance Evaluation Methodolgies and Tools, pp. 34-es. [Crossref]

[10] Jabri, S., El Koursi, E.M., Bourdeaud’huy, T., Lemaire, E. (2010). European railway traffic management system validation using UML/Petri nets modelling strategy. European Transport Research Review, 2(2): 113-128. [Crossref]

[11] Abrial, J.R., Butler, M., Hallerstede, S., Hoang, T.S., Mehta, F., Voisin, L. (2010). Rodin: An open toolset for modelling and reasoning in Event-B. International Journal on Software Tools for Technology Transfer, 12: 447-466. [Crossref]

[12] Stankaitis, P., Iliasov, A., Kobayashi, T., Aït-Ameur, Y., Ishikawa, F., Romanovsky, A. (2021). A refinement-based development of a distributed signalling system. Formal Aspects of Computing, 33: 1009-1036. [Crossref]

[13] Lecomte, T., Comptier, M., Molinero, J., Sabatier, D. (2020). Ensuring Safety with System Level Formal Modelling. In: Margaria, T., Steffen, B. (eds) Leveraging Applications of Formal Methods, Verification and Validation: Applications. ISoLA 2020. Lecture Notes in Computer Science(), 12478. Springer, Cham. [Crossref]

[14] Behm, P., Benoit, P., Faivre, A., Meynadier, J.M. (1999). METEOR: A successful application of B in a large project. In World Congress on Formal Methods, 1708: 369-387.

[15] Bonvoisin, D. (2016). 25 years of formal methods at RATP. Proceeding of International Railway Safety Council (IRSC2016) Paris 2-7 October, 2016, pp. 1-8.

[16] Yar, A., Idani, A., Ledru, Y., Collart-Dutilleul, S. (2022). Visual animation of B specifications using executable DSLs. In Proceedings of the 25th International Conference on Model Driven Engineering Languages and Systems: Companion Proceedings, pp. 617-626. [Crossref]

[17] Ladenberger, L., Bendisposto, J., Leuschel, M. (2009). Visualising event-B models with B-motion studio. In: Alpuente, M., Cook, B., Joubert, C. (eds) Formal Methods for Industrial Critical Systems. FMICS 2009. Lecture Notes in Computer Science, 5825. Springer, Berlin, Heidelberg. [Crossref]

[18] Bougacha, R., Laleau, R., Bon, P., Collart-Dutilleul, S., Ben Ayed, R. (2023). Modeling train systems: From high-level architecture graphical models to formal specifications. In: Kallel, S., Jmaiel, M., Zulkernine, M., Hadj Kacem, A., Cuppens, F., Cuppens, N. (eds) Risks and Security of Internet and Systems. CRiSIS 2022. Lecture Notes in Computer Science, 13857. Springer, Cham. [Crossref]

[19] SUBSET-125: ATO over ETCS - System Requirements Specification. (Issue: 0.1.0). Std, UNISIG. (2018).

[20] Bon, P., Collart-Dutilleul, S., Bougacha, R. (2022). ATO over ETCS: A system analysis for freight trains. Computers in Railways XVIII: Railway Engineering Design and Operation, 213: 37-47.

[21] Kuhn, M. (2019). System architecture description, smartrail 4.0 architecture. Technical Report, Smartrail 4.0.

[22] SUBSET-126: ATO over ETCS - ATO-OB/ATO-TS FFFIS Application Layer Specification. (Issue: 0.0.16). Std, UNISIG. (2018).

[23] SUBSET-130: ATO over ETCS - ATO-OB/ETCS-OB FFIS Application Layer. (Issue: 0.1.0). Std, UNISIG. (2018).

[24] SUBSET-139: ATO over ETCS - ATO-OB/ Vehicle Interface Specification FIS. (Issue: 0.0.8). Std, UNISIG. (2018).

[25] Buurmans, K. (2019). Automatic train operation over legacy automatic train protection systems: A case study on the Groningen-Buitenpost line. Technical Report, Delft University of Technology. Master of Science in Civil Engineering at the Faculty of Civil Engineering and Geosciences, Department Transport & Planning of Delft University of Technology.

[26] SNCF. Specific driver rulebook for operating train in France, “Référentiel conducteur de ligne” (confidential document: Industrial property of SNCF).

[27] Holt, J., Perry, S. (2019). SysML for Systems Engineering: A model-based approach. (3rd Edition). Computing and Networks Series, Institution of Engineering and Technology, SBN978-1-78561-554-2.

[28] Bougacha, R., Laleau, R., Collart-Dutilleul, S., Ayed, R.B. (2022). Extending SYSML with refinement and decomposition mechanisms to generate EVENT-B specifications. In: Aït-Ameur, Y., Crăciun, F. (eds) Theoretical Aspects of Software Engineering. TASE 2022. Lecture Notes in Computer Science, 13299. Springer, Cham. [Crossref]

[29] Vanderhaegen, F. (2017). Towards increased systems resilience: new challenges based on dissonance control for human reliability in Cyber-Physical&Human Systems. Annual Reviews in Control, 44: 316-322. [Crossref]

[30] Wilson, J.R., Farrington-Darby, T., Cox, G., Bye, R., Hockey, G.R.J. (2007). The railway as a socio-technical system: Human factors at the heart of successful rail engineering. Proceedings of the Institution of Mechanical Engineers, Part F: Journal of Rail and Rapid Transit, 221(1): 101-115. [Crossref]

[31] Dahmann, J.S. (1997). High level architecture for simulation. In Proceedings First International Workshop on Distributed Interactive Simulation and Real Time Applications, Eilat, Israel, pp. 9-14. [Crossref]

[32] Matoussi, A., Gervais, F., Laleau, R. (2010). An event-B formalization of KAOS goal refinement patterns. Technical Report, HAL CCSD.

[33] Idani, A., Ledru, Y., Anwar, A. (2013). A rigorous reasoning about model transformations using the B method. In International Workshop on Business Process Modeling, Development and Support, Springer, Berlin, Heidelberg, pp. 426-440. [Crossref]

Cite this:

APA Style

IEEE Style

BibTex Style

MLA Style

Chicago Style

GB-T-7714-2015

Collart-dutilleul, S., Bon, P., Bougacha, R., & Laleau, R. (2023). Engineering for Critical Systems: The Automatic Train Operation over European Train Control System for Freight Trains Use Case. Int. J. Transp. Dev. Integr., 7(4), 311-320. https://doi.org/10.18280/ijtdi.070405

pdf

Citations