Asynchronous modeling in railway systems

EmmanuelGaudin
PragmaDev,France
emmanuel.gaudin@pragmadev.com

Abstract: Models in the railway industry are often based on synchronous

technologiessuchasMatlaborScade. Thisis due to technicalreasons,but
because of itsconceptstheabstractionlevelofsynchronousmodelsarevery
low and very close to the implementation level. A serious gap is observed
between the requirements described in natural textual language and the
model which is basically animplementation.Theincreasinglevel of system
complexity,combining communicatingsubsystems, callsfor amoreabstract
model.This paperwillfirstdiscusswhysynchronoustechnologieshavebeen
used in thistype of systems,thenanexperiment ofusing anasynchronous
technologies on a real ERTMS case coming from SNCF is described, and
finally the paper will conclude on how an asynchronous modeling
technologies could make thelinkbetween theinformal textual requirements
andtheimplementationofthesystem.

Keywords
: Modeling, Asynchronous, Synchronous, Matlab, Lustre, SDL,
TTCN3,Railways,ERTMS

Introduction
Whenitcomestomodelingtwomainquestionshavetobeaddressed.Thefirstoneisaboutpositioningthe
modelinthedevelopmentcycledefiningifthemodelisarequirement,aspecification,oradesign.The
secondoneisaboutthemodelingtechnologytousedependingonwhatthemodelisaimingat.Thelower
isthemodellevel,themorespecializedisthemodelingtechnology,andthenarroweristhescopeofthe
model.
In[1]thetechnologiesusuallyappliedtomodeltrainsystemsarelistedsuchastheBmethod,Scade,
Simulink/Stateflow.In[2]and[3]theauthorspresenthowtheyhavewrittenaspecifictypeofmodelinorder
toverifyspecificsafetyproperties.Themodelsareusuallydedicatedtothetargetedmodelchecking
technologyandcannotbeusedforanythingelse.
In[4]ispresentedtheworkdonebySNCFtoverifysafetyrulesusingTheMathworkstools.
In[5]theauthorpresentsatoolthatmakesalinkbetweenasystemlevelmodelwrittenwithPapyrusSysML
modelerandadesignlevelmodelwrittenwithSCADESuite.
In[6],followingtheASSERTFP6europeanproject,theEuropeanSpaceAgencyhasbeenpromotingthe
TASTE(TheASSERTSetofToolsforEngineering)framework.Becauseeachtechnologyisbestsuitedfor
apartoftheoverallsystem,TASTEframeworkaimsatgatheringthedifferenttechnologiesinaconsistent
framework.ThetoplevelmodelisanarchitecturemodelbasedonAADLandASN.1.ThedifferentAADL
architectureblocksarefurtherdevelopedwithadedicatedtechnologysuchasScadeorSDL.Whenall
modelsarevalidatedacodegeneratorautomaticallygathersthecodegeneratedbythedifferenttools.

Intheabovereferences,thechoiceofthemodelinglanguageisoftendrivenbythepossibleverification
associatedtothetechnology.Forthatpurposemodelsarebasedonlowlevelmodelingtechnologiesthat
areveryclosetotheimplementationdetails.
Attemptstoraiseupthemodelinglevelhavebeendoneusingacombinationoflanguages.Forthatpurpose
thesynchronousorasynchronousapproachesareputatthesamelevelandathirdlanguageisusedasan
overallmodelview(SysMLorAADL).Inthispaperweareexperimentingadifferentapproachinwhichan
asynchronousSDLmodelisusedasabridgebetweentherequirementsandalowlevelsynchronous
model.Todemonstratethis,anexistingMatlabmodelistakenasanexampleandtranslatedtoanSDL
model.UsinganSDLsimulatorandsolverthesystemfunctionsarethenanalyzed.Finallytherewillbea
discussiononwhattheSDLmodelbringstoaMatlabmodel.

A natural synchronous approach

Intheolddays,trainsystemswereexchangingsimpleinformationsuchasisthetrainpresentonthat
portionoftrack,arethedoorsopenornot.Theseinformationcanbedetectedwithsimpleelectrical
detectorsalongthetracks,ontheplatforms,orinthetrainitself.Thesedetectorsbehavelikeelectrical
switchesandtheinformationcanbeextractedfromthefactthatthecircuitisopenorclosed.Froma
softwarepointofview,allthisinformationcanberepresentedbybinaryvariables.Therationaleisalogical
combinationofthedifferentinformationgathered.Itwouldbesomethinglikeifthetrainisnotstoppedatthe
platform,thenthedoorsshouldbeclosed.Andthisinformationwouldbeverifiedeverytimesomenew
informationwasreceivedfromthesensors.Eachclocktick,theinformationfromthesensorsisgathered
andgiventoalogicalsystemthatwillcomputealltheentriesandproducesomeoutputs.
Thatisthebasicprincipleofasynchronousapproach.Alltheentriesarevalidatthesametime,some
logicaloperatorscombinetheinputstakingintoconsiderationthepreviousvaluesoftheinputs,and
producessomeoutputs.Eachclocktick,thewholeinformationiscomputedagainandagain.Thefactthat
thesystemrecomputeseverythingateveryclocktickactuallyreducesthepossiblenumberofcasesthat
mightoccurinthesystem.Itisthereforemucheasiertoverifypropertiesateachclocktickandmakesure
thesystembehavesproperlywhateverhappens,whatevertheinformationreadbythesensors.

New approach for upcoming systems

Trainmanagementsystemsareevolving,andinparticulartheEuropeanRailTrafficManagementSystem
(ERTMS[7]),whichwasinitiatedinthe90sbytheEuropeanUnion,aimsatharmonizingandexpandingthe
capabilitiesoftraincontrolsystemsoverEuropesothatatraincrossingbordersdoesnotneedaspecific
controllerforeachcountryitcrosses.Thisstandardcoversspecificationofonboardequipments,onthe
tracksideequipments,aswellascommunicationinformationsystems.Theinformationexchangedincludes
speed,accelerationandsoon.Itismoreandmorecomplexandisgettingquitefarfromtheoriginalbinary
information.Furthermorealltheequipmentsarenotmechanicallyorelectricallyconnected,theyarenow
completelydesynchronizedfromoneanother.Theinformationisnotthatsimpleanymore,itiscomplexand
unpredictable.Usingsynchronoustechnologiesmightworkonalocallevelbutwilldefinitelynotbesufficient
todescribenewfeaturesthatcombinealotofcommunication.Infactthehigheristheleveloftheview,the
lessasynchronousdescriptionwillfit.Thisisaknownissueinsystemswherecomplexityisincreasing.It
hasbeentheorizedanddiscussedinseveralpublicationastheGALS(GloballyAsynchronousLocally
Synchronous[10])theoryofsystemdescriptionsincethe80s.Atthattime,asynchronousdescriptionswere
transformedtosynchronousdescriptionsbasedonthetheorythatasynchronousmodelscouldbe
deconstructedtosynchronousmodelsandreconstructedback[11].Thepointwastobeabletousethe
existingandmaturesynchronousvalidationandverificationtechnologiesonthemarketatthattime[12].
Thisworksaslongasthemodelisclosetotheimplementation.Thisisnotsatisfyinganymoreincomplex
communicatingsystemsasthefirstthingtodowhendevelopinganewfeatureinasystemistoverifyits

functionalitybeforetryingtoimplementit.Thatraisestheneedforasynchronousdescriptionsand
verificationtechniques.

An asynchronous description of existing models

Ononesidethehighertheabstractionlevelis,themoreasynchronousaretherelationsamongthe
elementsinthesystem.Ontheothersideinordertoproducearelevantandverifiabledynamicdescription,
themodelneedstobeexecutable.Thatmeansitshouldbestaticallyanddynamicallyunambiguousfroma
semanticpointofview.
SDL[6]internationalstandardthatwasinitiallydesignedtodescribetelecommunicationprotocolsisagood
candidateforthistypeofdescription.Itisbynatureasynchronous,itcombinesgraphicalviewsfor
architectureandstatemachines,andincludesanactionlanguagewithsimpledatatypestodescribea
detailedbehaviorwheneverneededinthedescription.

Figure1:AbasicSDLarchitecture

Figure1showsanSDLarchitecturewithtwoblocks.Eachblockcanbefurtherdecomposedinsubblocks.
Atthelowerlevelofthearchitectureoneorseveralfinitestatemachinesdescribethebehaviorofits
container.Theflowofinformationbetweentheblocksismessagebased.Eachstatemachinehasitsown
implicitFIFOmessagequeue.ThereisnoclockbasedinputsinanSDLsystem.Onlythesequenceof
eventsmatters.

Figure2:AsimpleSDLstatemachine

Figure2showsasimpleSDLstatemachine.Inthe
administration
state,thestatemachinewillreadits
messagequeue.If
addUser
messageisreceivedtheinstructionsbelowthe
addUser
inputsymbolare
executed,an
accepted
messageissenttothesenderofthe
addUser
message,andthetransitionends
backinthe
idle
state.Ifmessage
deleteUser
isreceived,thecounterinternalvariableissetto0,andthe
transitionendsalsointhe
idle
state.
ThedifferentstatemachinesinanSDLmodelruninparallel.Themainissuewiththistypeofdescriptionis
verification.Becauseofitsasynchronousnature,eventscanoccuratanytime,independentlyfromeach
other,andthiscreatesahugenumberofpossiblescenarios.Modelcheckingtoolscanexplorethepossible
combinations,butthenumberofcasesissometimesverydifficulttohandlemakingverificationofproperties
onthistypeofsystemarealchallenge.
Sincethistypeofdescriptioniswellsuitedforahighleveldescriptionitisnaturallyclosetoafunctional
descriptionorahighlevelrequirement.Itisthereforequiteinterestingtoanalyzehowtherequirements
couldbetranslatedintoanasynchronousmodelandasynchronousmodel,andseeifonecouldbe
translatedtotheother.ThisiswhatwasdoneonaRadioBlockCenterfromtheERTMS[7].Figure3and2
showthearchitecturelevelusingMatlabandusingSDL.Eventhoughbothmodelcontainthesameblocks
themaindifferenceisthecommunicationsemantic.InformationexchangeissynchronousinMatlaband
messagebasedinSDL.

Figure3:ArchitecturedescribedwithMatlab

Figure4ArchitectureinSDLwiththreestatemachines

MatlabdiagraminFigure5indicatesthedescriptionoftheblockisdonewithastatemachine.Itlistsallthe
inputsandoutputsofthestatemachine.ThisisnotnecessaryinSDLasaprocessbehaviorisalways
describedwithastatemachine.

Figure5:Connectanddisconnectblockismadeofonesynchronousstatemachine

TheMatlabstatemachineisdescribedinFigure6andtheSDLequivalentstatemachineisdescribedin
Figure7.

Figure6:Matlabsynchronousstatemachine

Figure7:SDLasynchronousstatemachine


IntheexampledescribedinFigure6&7theinputsareverysimilar.Forexamplereceptionofmsg155event
isdonesettingthebooleanvariablemsg155_recutotrueinMatlab,whileitusesthemessageinputsymbol
inSDL.TheMatlabrepresentationforcesthemodelertomakesuremsg155_recuissettofalseafterbeing
receivedbecauseifnotitmightbetakenintoconsiderationagaininanothertransition.Similarlytooutput
someinformationfromthestatemachine,theMatlabmodelsetsbooleanvaluestotrueorfalse.For
exampleintheSession_etabliestate,envoi_msg32issettotruewhenenteringthestate,thensettofalse
whileinthestate,andagainsettofalsewhenexitingthestate.InaneventbasedlanguagesuchasSDL,
thereisonlyonemsg32outputwhenmsg155isreceivedandthatsit.Inthatsenseitmakesthingsmuch
clearer.

Theotherexamplebelow,Deconnecter_selon_modeinFigure8&9,showshowtodisconnectthetrain
dependingonthemodeinwhichitis.

Figure8DisconnectdependingonthemodeMatlabstatemachine

Figure9DisconnectdependingonthemodeSDLstatemachine

Inthatexamplethemaindifferenceisontheinputsofthestatemachine.TheMatlabmodeluseslogical
operatorsANDandORtoidentifywhichinputwasreceivedtheSDLmodelisjustalistofinputs,andthe
starmeansanyotherinput.

Inbothexamplesthemodelisequivalentfromafunctionalpointofview,dependingonthereaders
technicalbackgroundoneortheothermightbeeasiertoreadandunderstand.

Model verification
TheexperimentincludedsomesimulationoftheSDLmodelwithsmallprototypinggraphicaluserinterface
inordertoverifythebehaviorwascorrect.Oncethemodelwasconsideredcorrect,PragmaDevsymbolic
resolutiontool,resultofPragmaList[8][9]commonlab,hasbeenexperimentedonthemodel.This
technologycombinesthetransitionsfromasymbolicpointofview,andtriestosolveeachpossible
combinationlikeitwoulddowithanequation.Ifthereisasolutiontotheequationthepathispossible.The
firstobjectivewiththattechnologywastoautomaticallygeneratetheminimumnumberoftestcaseswitha
maximumcoverage.Afterafewtrialsthetoolcouldnotreachtwotransitionsinthemodel.Amanual
analysisrapidlyconcludedthisusecasedidnotallowoneofthegenericfunctionsinthemodeltoreturnthe
valuesrequiredtoreachthesetwotransitions.Oncethiswassettledtestgenerationoutofthemodelwas

successfullyexperimentedand17testcasescoveringalltransitionswere
automaticallygenerated.
Fivepropertieshavebeenwrittentobeverifiedonthemodel.Asfortheexperiment,
thepropertieswereactualpiecesofthestatemachinewrittenwithanother
language.Forexamplethefirstpropertyverifiesthatwheninstate
Connexion_en_cours,whenreceivingmsg159thestatemachinegoestostate
Etablieandnotanyother.
Thesymbolicresolutiontoolhasbeenranonthemodelwithitspropertiesforafew
hoursreachingasubstantialdepthofsearch,meaningasubstantialnumberof
transitioncombination.Asaresult,withinthisexplorationperimetertheproperties
weresatisfied.

How to link asynchronous models to synchronous

models
DuringtheexperimentithasbeenestablishedtheSDLmodelwasfurtherawayfromtheimplementation
thantheMatlabone.Becauseofitsasynchronousprinciplesitwasmoreofafunctionalviewofthebehavior
andthereforeclosertotherequirements.Thisclearlyvalidatedtheideaofhavingahighlevelasynchronous
executablefunctionalmodeltomakesuretherequirementsareproperlyunderstood.Thequestionwashow
tolinkthisasynchronousapproachtoasynchronousone.Itturnedoutanasynchronousmodel,includinga
testcase,caneasilybeconnectedtoasynchronousone.Forexampleasynchronousinputcanbe
evaluatedateachtickandwhenthevalueoftheinputchangesitgeneratesanasynchronousmessage
(Figure10).Ontheotherwayaroundanasynchronousmessageoutputcanbeconvertedtoaclockbased
value.

Figure10:Ansynchronouschangeofvaluecanbetransformedtoanasynchronoussend

Thisshowsthatitwouldbepossibletogeneratecodeoutoftheasynchronousmodelandconnecttoa
synchronoustarget,ortogeneratetestcasesoutoftheasynchronousmodelandrunthemagainsta
synchronousimplementationinordertocheckitisconformtothemodel.

Conclusion & Future work

TheexperimentonthisrealusecaseintherailwaydomainhasdemonstratedthatanSDLexecutable
asynchronousmodelcouldbefunctionallyequivalenttoaMatlabsynchronousmodel.Becauseofits

asynchronousnaturetheSDLmodelisclosertotherequirements,whereaMatlabmodelisclosertothe
implementation.AnSDLmodelcouldthereforebeusedbystakeholdersearlyinthedevelopmentprocessto
formalizerequirementsandtoverifythemfromafunctionalpointofview.AMatlabmodelwouldstillbeused
lateronfortheimplementation.AndtheSDLmodelwouldbethereferencetoverifyfunctionalproperties,or
togeneratetestcasestoverifythefinalimplementationisfunctionallyconformtotheinitialrequirements.

Bibliography
[1]
Flammini,F.,RailwaySafety,Reliability,andSecurity:TechnologiesandSystemsEngineering,IGI
Global,May31,2012Technology&Engineering487pages
.
[2]
Liu,Jiang(etal.),ACalculusforHybridCSP,ProgrammingLanguagesandSystems
8thAsianSymposium,APLAS2010,Shanghai,China,November28December1,2010Proceedings,
SpringerLNCS6461
.
[3]
Cimatti,Alessandro(etal.),FormalVerificationandValidationofERTMSIndustrialRailwayTrain
SpacingSystem,ComputerAidedVerification,24thInternationalConference,CAV2012,Berkeley,CA,
USA,July713,2012Proceedings,SpringerLNCS7358
.
[4]
Callet,S.,elFassi,S.,Fedeler,H.,Ledoux,D.andNavarro,T.(2014)TheUseofaModelBased
DesignApproachonanERTMSLevel2GroundSystem,inFormalMethodsAppliedtoIndustrialComplex
Systems(edJ.L.Boulanger),JohnWiley&Sons,Inc.,Hoboken,NJ,USA
.
[5]
LeSergentT.,SCADEAcomprehensiveframeworkforcriticalsystemandsoftwareengineering,SDL
Forum2011,SpringerLNCS7083
.
[6]InternationalTelecommunicationUnion:RecommendationZ.100(12/11)SpecificationandDescription
Language(SDL).
http://www.itu.int/rec/TRECZ.100
[7]EuropeanRailTrafficManagementSystemERTMS,
http://www.era.europa.eu/CoreActivities/ERTMS/Pages/home.aspx
[8]GaudinE.,DeltourJ.,FaivreA.,LapitreA.,ModelBasedTesting:AnApproachwithSDL/RTDSand
DIVERSITY.SystemAnalysisandModeling:ModelsandReusability.8thInternationalConference,SAM
2014,Valencia,Spain,September2930,2014.Proceedings.Editors:Amyot,Daniel,FonsecaiCasas,Pau,
Mussbacher,Gunter(Eds.).SpringerLNCS8769.
[9]
www.pragmalist.org
[10]Globallyasynchronouslocallysynchronous,Wikipedia,
http://en.wikipedia.org/wiki/Globally_asynchronous_locally_synchronous
[11]A.Benveniste,B.Caillaud,andP.LeGuernic.Fromsynchronytoasynchrony.InJ.C.M.Baetenand
S.Mauw,editors,ProceedingsofCONCUR'99,volume1664ofLNCS,pages162177.Springer,1999.
[12]M.Mousavi,P.L.Guernic,J.P.Talpin,S.ShuklaandT.Basten"Modelingandvalidatingglobally
asynchronousdesigninsynchronousframeworks",Design,AutomationandTestinEuropeConferenceand
Exhibition,2004.Proceedings,pp.384389.