Siemens Rail Automation Embedding Innovation: A Case Study. Introduction of Mathematical Verification techniques to Railway Interlockings

Transcription

1 Siemens Rail Automation Embedding Innovation: A Case Study Introduction of Mathematical Verification techniques to Railway Interlockings siemens.co.uk/rail

2 Railway Signalling and Control Systems Keeping Trains Apart Page 2

3 Damaging when things go wrong! Page 3

4 Today s Computer Based Interlockings There is nothing to see! It must work safely! Page 4

5 Original Driver to this Innovative work Today s interlockings have become far larger in terms of geographical control and far more complex in their operation. Existing data preparation tools, developed over a period of time continue to struggle to keep up with not only the complexity but also the technology. With few constraints on memory and processing power, the railway operator looks for significantly increased flexibility of operation. So, with the higher potential for error as a result of increased volumes of data, and the opportunity to apply Trackguard Westrace technology onto the railway, formal methods approaches were investigated. With the configuration data for Westrace ladder logic equations represented by boolean logic equations, this format lends itself to mathematical analysis. Page 5

6 Formal Verification There are many different formal methods ; different methods require varying degree of understanding of the system under development, its development process and the range of mathematical models that are used. One such technique that we have sought to introduce is formal verification. Automated review Requirement expressed in formal logic System as formal model A software program proves the system satisfies the requirement, or finds counterexample for debug Benefits 100% coverage in analysis Automated: quick, repeatable Executable documentation Property verification Equivalence check Page 6

7 Interlocking Data - Automation Working in partnership with Prover Technology products Prover ilock and Prover Certifier for automated development and sign-off verification (SIL 4) of interlocking data Basic thesis of automation approach: Create interlocking data automatically, from railway layout data Run functional testing of interlocking data automatically Prove interlocking data against safety principles automatically Game Changer: This proof permits the removal of office-based principles testing. This fundamentally changes activities of Designer, Checker and expectations of the customer Page 7

8 Prover Certifier (Sign-off Verification) Creates safety evidence that rail control software code always respects the safety requirements, based on formal verification (formal proof) Safety Requirements: CENELEC EN SIL 4 Diversification used within Prover Certifier, including logging and independent checking of all proofs Supports several different software code languages (general-purpose and supplier-specific languages) (Even binary code can be verified) Code: Page 8

9 Defining the Interlocking Requirements: Object Model The Interlocking Object Model is the means of identifying the signalling principles. We define the inputs and outputs, (name, control bits,function), dynamic and static attributes to enable the safety principle to be specified Route Locking Routes from Entrance Signal A route can only be set if all other routes from the entrance signal are normal. Applicability: Main, Call-on, and Shunt Trace: GK/RT Appendix 1-7 Page 9

10 Process Page 10

11 Layout: Configure in editor, or import from customer specified format! Page 11

12 Prover Overview Verification & Certification (might delete this slide) Page 12

13 The Real Application (Setting the Scene) Two depots consisting of WESTRACE s interlockings, and one terminal metro station comprising a single WESTRACE interlocking Data was created via the use of templates (manually) Signalling Principles based on two separate and independent existing tried and tested UK interlocking schemes Data checked and set to work for all above interlockings in the conventional manner Principles Tested as per standard process with licensed Principles Testers / TIC Three iterations of one depot comprising 5 interlockings completed, specific attention given to it by the toolset. Page 13

14 Real Application Application of Prover Toolset Object Model created to define the railway signalling operation, reviewed and issued. Safety Requirements derived from the Signalling Principles and Object Model, reviewed and issued. Tool implementation of the Safety Principles. Graphical representation of the depot layout specified, checked and issued in electronic format. Various testing iterations and refinements to the model and safety properties running the verifier on both depots and A01. Prover Certifier run on the depot interlocking version 4, some issues found and corrected Belt and Braces check for compliance with the standard process Test Specification Page 14

15 Substantial Safety Work Programme Full Safety Assurance programme implemented Safety Strategy Safety Plan Preliminary Hazard identification / analysis Safety Case issued Full Independent Safety Assessment undertaken of the whole process and the toolset. Documentary evidence in full support of the system to allow commissioning and Tester In Charge (TIC) sign off. Note: this work did not use auto generation and test of the data, only the Prover Certifier sign-off (SIL 4) verification Page 15

16 Was it Successfully Implemented - Yes We took our testers on a journey: Early engagement. Full explanation of the project, its objectives and its goals Involvement in the safety requirements capture Comprehensive review against the traditionally specified Test specification, itself based on previous projects. Full explanation of the differences for instance rogue points testing traditionally undertaken removed! Ran a number of iterations to check the comprehensiveness of the testers work. Benefit gained and learning in particular. We got the buy in from the Testers, at the end of the day, changes to the interlocking were signed off into service on the basis of the toolset. Game Changer in operation! Page 16

17 Is it really a Game Changer or not? The Comfort Zone Game changers are often radical. People are resistant to change People see no need to change People are happy with job lot Recognition we have to change! Seen by management as a risk! Seen by the customer as a risk! Industry is Risk adverse but sometimes rightly so! Radical Change Conventional tried, tested and loved processes become obsolete Standards have to change we all know how efficient that process is and how long it takes Mistrust and denial Implementing the Game Changer The light bulb moment Page 17

18 Conclusion / Summary / Future /... The customer increasingly demands reduced engineering effort and delivery time Use of automation tools and sign-off verification of IM requirements are key ingredients to be able to meet this demand. From a technology point of view the obstacles are few, if any. The major challenge lies with people and mind sets. Siemens has worked in partnership with Prover Technology to apply these methods and tools on both UK and non-uk infrastructure There remain many hearts and minds to change. This journey we make requires considerable change in behaviour within the Signalling Industry, both at the Infrastructure owner community and supplier community. Other signalling suppliers also take this approach, and there are other providers of Formal Methods tools on the market. Non UK infrastructure its working, UK infrastructure coming soon. Personally, I have been on this crusade for 10 years. That says something in itself! Page 18