- Email: [email protected]
Using Petri Nets for Safety Analysis of Unmanned Metro System
USING PETRI NETS FOR SAFETY ANALYSIS OF UNMANNED METRO SYSTEM
M. EL KOURSI & P. OZELLO INRETS-CRESTA 20, rue elisee Reclus 59650 Villeneuve d'Ascq, France. TEL : (33) 2043 83 24 FAX: (33) 2043 8359
Abstract In unmanned transportation systems, the certification of the controVcommand equipments is a technical process based on rigourous methods taking into account precise and detailed objectives. In France, for a number of new automated transport systems, INRETS has been in charge of this certification process as an authorized body, appointed by the Ministry of Transport. Such process intends to assess that the system design satisfies initially defined safety objectives. INRETS-CRESTA has developed a tool based on Petri nets and a methodology for applying this tool. The principle is to examine and eventually to complete the safety study achieved by the constructor, by coupling and simulating a functional model with environment model. In this paper we describe how this tool is used to specify safety functions and to demonstrate their safety. This method is illustrated by an example of application to the VAL automated system. Key words: certification, safety, Petri nets, simulation, guided transport systems.
Introduction Such a tool has been used to help the team in charge of the certification process of the VAL system of Lille, of the ORL YVAL of Paris and of MAGGAL Y system of Lyon. It also has been used to analyse a critical software function of the V AL Chicago Automatic Train Protection (ATP). In this paper we describe how Petri nets are used: to analyse, by modeling, the specification of the safety functions in order to check the completeness and consistency of the system specification; to check, by simulation, the correctness of the safety criteria attached to each safety function. We give here under just an informal and synthetic recall of Petri nets definition: A Petri net is an oriented bipartite graph. Places are represented by circles and transitions by bars. Places and transitions are joined by oriented arcs. The values of the input function are associated with each arc joining a place with a transition. The output function values are associated with the arcs joining a transition
The p.rocess of unmanned transportatIOn systems certification intends to attest that the system design satisfies initially defined safety objectives. In parallel with the system life cycle adopted by manufacturer, the duly authorized body performs the certification life cycle. In the different safety validation steps the authorized body uses different method to find out, in the earliest hour, the unsafe situations which could occur during different phases of the system life. It checks that the Preliminary Hazard Analysis has taken into account all the particularities of the system and its degraded modes of operation. The functions dedicated to prevent each hazard are to be clearly defined. This verification continues throughout from the equipment specification (internal and external) to the final product. To improve the certification process, INRETS-CRESTA has developed a tool based on Petri nets and their application methodology.
135
which integrates the different steps of trains movement. Each state of the model corresponds to a signal activation. The second part corresponds to the interface between the environment model and the A TP model. The third model corresponds to the ATP specification (fig
with a place. Moreover with each transition is associated a condition which corresponds to a logic or numerical information. Safety analysis approach The safety analysis of unmanned transportation systems is generally achieved by a top-down decomposition which allows to attach safety criteria to each functional entity, which should be satisfied by the corresponding equipment.
1). Environment
The manufacturers approach tends to prove the correctness of the specification, design and realisation of all the components. Our approach tries to find that components specification doesn't correspond to the requirement specification and design according to a safety criterion.
Interface
ATP model
Te2 TOssing B1
Te3
Other
This approach can be decomposed into six phases:
functions
Fig 1 : modeling principle of an ATP.
to identify the safety functions of the Automatic Train Protection (A TP) system and of their close environment,
We are illustrating our approach by an example of a transport system with a fixed blocks anticollision protection such as the V AL system (fig 2). The principle of such a system is that the track is divided into blocks. For each block, the safety is achieved by a block logic which determines the occupancy, the release and the alarm.
- to identify the safety criteria attached to the safety function, - to model each function and its environment in order to detect an incompleteness or an inconsistency in the specification,
Anti-coUision antenna
:~" \!~ :11 t
starting from the models to simulate environment and safety function in order to examine the dynamic behaviour of the function and check that the safety criteria are satisfied,
se~~~14~'-
- to introduce failures in the model in order to check protection reactions,
Canton
Seg6
"
;'8:
9
Fig 2 : Elementary block.
This block logic uses the information delivered by a set of loops which receive a signal from anti-collision antenna implemented on board the train . Normally, the train transmits a signal into the fixed loops on the track. The loops activation indicates the trains presence. So in figure 2, B 1 allows the detection of a train entering a block. B is used to maintain the occupancy block
- to link and simulate the set of the model functions and the model of environment to verify their interfaces and check that the global safety criteria are satisfied. The specification model used to achieve safety analysis is divided into three parts. The first part is the environment model, in the broad sense,
136
equipment model. For instance, the firing of Tel puts a mark in the Bl interface place. A mark in B 1 place indicates that the train anti-collision antenna activates the B 1 loop [mark = activation, no mark = no activation].
infonnation and B2 loop infonns that the train is leaving the block. Moreover detection barriers based on infrared beams are provided on some place of the track. This detection barriers called DN (infrared barrier) delivers a low pulse at the passage of a train.
Also the interface model may be deconnected from the environment model by using the synchronization possibilities of transitions. It is possible to synchronize the Ti (Transition interface) with Te (Transition environment). In the figure 4, the Ti-emision-B 1 transition is synchronized with Te 1. The firing of Tiemission-B 1 is not enabled before the firing of Te 1.
The environment model (Fig 3) represents a simple train driving along the block. The segl, seg2, seg3, seg4, seg5, seg6, seg8, seg 9 denote the different train positions and correspond respectively to the train approaching B 1 (loop), crossing Bl, cutting DN (infrared barrier), crossing B (loop), release DN, release B 1, crossing B2 , release Band release B2. Similarly, transitions Tel to Te8 denote the events of signals activation of the loops.
Environment ~
segl
When a transition is fired, the mark is put in the next place of the environment and of the interface model (Fig3).
Tel seg2 Te2
Environment
Interface
seg3
•
, ~
transmitting in Blloop Te2 Cutting ON
~ ~
~ :
seg4
seg5
seg6 Too
transmitting in B2100p
seg7 Te7
release B
~ ~
Te4
•
~
Ti-leavee-Bl ynchronized-with Te5 Ti-ON-cuned synchronized with Te4 Ti-ON-actif synchronized with-Te2
In the equipment model, we proceed to a decomposition of the safety function into a set of subfunctions. At each subfunction is attached a set of safety criteria. These criteria are a result of SSHA (SubSystem Hazard Analysis). To each criterion, we associate an undesirable marking of the model. Each Petri net model of the subfunctions does not exceed 10 places and 10 transitions, in order to facilitate the analysis.
Te5 release BI
~
Tol
Aytomatic Train Protection (ATP) eQyipment model
Te4 relea.seON
~D
seg4
~ Bl
U •
J-enusslOnT BI synchronized with
Fig 4: interface model synchronized with environment model.
seg3 Te3
transmitting in B loop
~
'~~ Bl
~
Te3
Interface
seg 8
Consider our example of a logic block which is decomposed into two subfunctions:
Fig 3 : Interface model. The model of interface, will be integrated in the model environment. The firing of a transition of the environment model places a mark in the corresponding place of the interface model. This mark may be consulted or used by the
- occupancy and release model, - alann model.
137
T-C!!-released
alteration of the transItIOn condition for simulating the occurrence of an untimely remote control,
T-C!!- occupied
- addition or deletion of arcs.
Cl -occupied
Fig 5: Block occupancy model
For instance, the deletion of the arc between the Te3 transition of the environment model and B place of the interface model simulates the absence of train transmission into B 1 loop. In this case, we check in the ATP model that the alarm model reacts correctly and puts the mark into the alarm place.
If we look at the figure 5, the occupancy state of the block is intuitively equivalent to the B loop receiving a permanent signal from the train (anticollision antenna). The designer must take into account the antenna failures. When the train cuts the DN (Infrared barrier) without transmitting a signal to B loop, the block must be declared occupied . These conditions are implemented in the condition of the TCll-occupancy transition. The block is declared as released when the train leaves sequentially Band B2 loops.
Model operation We have developed a tool called "SIMPAR" which allows to calculate a set of reachable states in the direct and reverse way from any initial state.
Reachable graph The alarm model (fig 6) can be coupled with the occupancy model. It must generate an alarm if the train interrupt the transmission into the B loop while the occupancy place in the model hold a mark. This condition IS implemented in the T-alarm transition.
The direct reachable graph can be used to check if the set of undesirable marking (safety criteria) is reached from an initial state by a legal sequence of transitions firing. The backward reachable graph allows to determine from an undesirable state the different ways which are the origin of this undesirable marking. The backward reachable graph shows if the model can generate these undesirable states.
not-alarm T-nOI-alarm
T-aJarm cond C 11-~upied andB
condB and Cll-reJeased and acquinemenl
Factual simulation
alann
In unmanned transportation systems, remote controls are necessary to improve the operation of the system. Unfortunately, hazardous situations may result from an incorrect use of certain remote controls . For instance the initialization remote control can cancel certain safety alarms such as a call for emergency evacuation.
Fig 6: Block alarm model The different conditions associated to the transitions associate loops signals and the states of some places from the models (environment, interface and ATP model).
Adding failures in the model
We can act on the model evolution by modifying a condition which enables the firing of a transition. The user can introduce an untimely remote control in the transitions predicate in order to evaluate the hazards resulting from such a remote control.
The failures can be modelled in the Petri nets. They correspond to the loss of a mark or to the generation of a spurious mark. In the model, the add failures will be obtained by different ways: - addition or deletion of transitions,
138
It's possible to simulate step by step the evolution of the Petri nets marking and choose the time where we can introduce failures or untimely remote controls.
is cut by a train which is not transmitting in the B loop. This case is described in the interface model by the DN and B 1 places which are not marked. In the normal case, the train transmits in the B 1 loop before cutting the DN barrier.
Sequential execution Qf the different models.
in the ATP model, the occupancy place is not marked.
It is always necessary to execute the different tasks in a defined order. Generally this order corresponds to the cyclic system behaviour. Each task can be modelled by a Petri net. In this case, we use the place called "macro-place". Each macro-place represents a Petri net model describing a subfunction. When the "macro-place" is marked the associated Petri net evolves until a stable marking is reached and puts the mark in the next macro-place. Sequentially the mark moves from one macro-place to another.
We check that this marking is never reached in the normal sequence of transitions firing. and if we introduce failures to obtain this marking, we check that the corresponding alarm is set.
Conclusion We have exposed the different ways to use Petri nets to examine and eventually to complete the safety study achieved by the constructor. The use of Petri nets allows to analyse properties such as safety and to help in determining a possible sequence of failures which can lead to accidents. The first benefit of the use of Petri nets is to understand exactly and criticize the manufacturer's specification of the safety functions. The second is the possibility of showing the eventually dangerous configurations.
Validation approach Individually, each subfunction is validated according to its specification. We check that the model corresponds to the specification and safeguards a set of safety criteria. We validate a nominal function of the system. Then the model is submitted to aggressive scenarios by introducing failures of equipment, spurious remote controls and some particular operating modes.
References M. EL KOURSI (1987) "Application des
reseaux de Petri a commandecontrole de processus en securite" APII, 1987, N°21.
Sq(ety criteria and undesirable link.
markin~
B.FAYOLLE & M. ELKOURSI (1991)
"Specification et Validation fonctionnelle des automatismes de securite", RTS, N° 33, 1992.
Firstly, We look for the set of undesirable marking and check if these marks may occur in the nominal configuration.
B.LETRUNG (1986)
"Analyse de securite du logiciel par reseau de Petri" INRETS, CR/A86.50, janvier 1986. B.LETRUNG (1989) "Approval procedures for automatic equipment of un manned metro system IF AC, CCCT'89 Paris.
For instance: C 10 is a criterion which stipulates that a train without transmitter must be detected in the block entrance. At this criterion, we attach an Undesirable Marking UMI0.
UM10 := [ Not(DN), Not(8l), Cllreleased] This marking describes the following situation: in the environment model and interface model, the DN (infrared barrier)
139
M. EL KOURSI & P. OZELLO INRETS-CRESTA 20, rue elisee Reclus 59650 Villeneuve d'Ascq, France. TEL : (33) 2043 83 24 FAX: (33) 2043 8359
Abstract In unmanned transportation systems, the certification of the controVcommand equipments is a technical process based on rigourous methods taking into account precise and detailed objectives. In France, for a number of new automated transport systems, INRETS has been in charge of this certification process as an authorized body, appointed by the Ministry of Transport. Such process intends to assess that the system design satisfies initially defined safety objectives. INRETS-CRESTA has developed a tool based on Petri nets and a methodology for applying this tool. The principle is to examine and eventually to complete the safety study achieved by the constructor, by coupling and simulating a functional model with environment model. In this paper we describe how this tool is used to specify safety functions and to demonstrate their safety. This method is illustrated by an example of application to the VAL automated system. Key words: certification, safety, Petri nets, simulation, guided transport systems.
Introduction Such a tool has been used to help the team in charge of the certification process of the VAL system of Lille, of the ORL YVAL of Paris and of MAGGAL Y system of Lyon. It also has been used to analyse a critical software function of the V AL Chicago Automatic Train Protection (ATP). In this paper we describe how Petri nets are used: to analyse, by modeling, the specification of the safety functions in order to check the completeness and consistency of the system specification; to check, by simulation, the correctness of the safety criteria attached to each safety function. We give here under just an informal and synthetic recall of Petri nets definition: A Petri net is an oriented bipartite graph. Places are represented by circles and transitions by bars. Places and transitions are joined by oriented arcs. The values of the input function are associated with each arc joining a place with a transition. The output function values are associated with the arcs joining a transition
The p.rocess of unmanned transportatIOn systems certification intends to attest that the system design satisfies initially defined safety objectives. In parallel with the system life cycle adopted by manufacturer, the duly authorized body performs the certification life cycle. In the different safety validation steps the authorized body uses different method to find out, in the earliest hour, the unsafe situations which could occur during different phases of the system life. It checks that the Preliminary Hazard Analysis has taken into account all the particularities of the system and its degraded modes of operation. The functions dedicated to prevent each hazard are to be clearly defined. This verification continues throughout from the equipment specification (internal and external) to the final product. To improve the certification process, INRETS-CRESTA has developed a tool based on Petri nets and their application methodology.
135
which integrates the different steps of trains movement. Each state of the model corresponds to a signal activation. The second part corresponds to the interface between the environment model and the A TP model. The third model corresponds to the ATP specification (fig
with a place. Moreover with each transition is associated a condition which corresponds to a logic or numerical information. Safety analysis approach The safety analysis of unmanned transportation systems is generally achieved by a top-down decomposition which allows to attach safety criteria to each functional entity, which should be satisfied by the corresponding equipment.
1). Environment
The manufacturers approach tends to prove the correctness of the specification, design and realisation of all the components. Our approach tries to find that components specification doesn't correspond to the requirement specification and design according to a safety criterion.
Interface
ATP model
Te2 TOssing B1
Te3
Other
This approach can be decomposed into six phases:
functions
Fig 1 : modeling principle of an ATP.
to identify the safety functions of the Automatic Train Protection (A TP) system and of their close environment,
We are illustrating our approach by an example of a transport system with a fixed blocks anticollision protection such as the V AL system (fig 2). The principle of such a system is that the track is divided into blocks. For each block, the safety is achieved by a block logic which determines the occupancy, the release and the alarm.
- to identify the safety criteria attached to the safety function, - to model each function and its environment in order to detect an incompleteness or an inconsistency in the specification,
Anti-coUision antenna
:~" \!~ :11 t
starting from the models to simulate environment and safety function in order to examine the dynamic behaviour of the function and check that the safety criteria are satisfied,
se~~~14~'-
- to introduce failures in the model in order to check protection reactions,
Canton
Seg6
"
;'8:
9
Fig 2 : Elementary block.
This block logic uses the information delivered by a set of loops which receive a signal from anti-collision antenna implemented on board the train . Normally, the train transmits a signal into the fixed loops on the track. The loops activation indicates the trains presence. So in figure 2, B 1 allows the detection of a train entering a block. B is used to maintain the occupancy block
- to link and simulate the set of the model functions and the model of environment to verify their interfaces and check that the global safety criteria are satisfied. The specification model used to achieve safety analysis is divided into three parts. The first part is the environment model, in the broad sense,
136
equipment model. For instance, the firing of Tel puts a mark in the Bl interface place. A mark in B 1 place indicates that the train anti-collision antenna activates the B 1 loop [mark = activation, no mark = no activation].
infonnation and B2 loop infonns that the train is leaving the block. Moreover detection barriers based on infrared beams are provided on some place of the track. This detection barriers called DN (infrared barrier) delivers a low pulse at the passage of a train.
Also the interface model may be deconnected from the environment model by using the synchronization possibilities of transitions. It is possible to synchronize the Ti (Transition interface) with Te (Transition environment). In the figure 4, the Ti-emision-B 1 transition is synchronized with Te 1. The firing of Tiemission-B 1 is not enabled before the firing of Te 1.
The environment model (Fig 3) represents a simple train driving along the block. The segl, seg2, seg3, seg4, seg5, seg6, seg8, seg 9 denote the different train positions and correspond respectively to the train approaching B 1 (loop), crossing Bl, cutting DN (infrared barrier), crossing B (loop), release DN, release B 1, crossing B2 , release Band release B2. Similarly, transitions Tel to Te8 denote the events of signals activation of the loops.
Environment ~
segl
When a transition is fired, the mark is put in the next place of the environment and of the interface model (Fig3).
Tel seg2 Te2
Environment
Interface
seg3
•
, ~
transmitting in Blloop Te2 Cutting ON
~ ~
~ :
seg4
seg5
seg6 Too
transmitting in B2100p
seg7 Te7
release B
~ ~
Te4
•
~
Ti-leavee-Bl ynchronized-with Te5 Ti-ON-cuned synchronized with Te4 Ti-ON-actif synchronized with-Te2
In the equipment model, we proceed to a decomposition of the safety function into a set of subfunctions. At each subfunction is attached a set of safety criteria. These criteria are a result of SSHA (SubSystem Hazard Analysis). To each criterion, we associate an undesirable marking of the model. Each Petri net model of the subfunctions does not exceed 10 places and 10 transitions, in order to facilitate the analysis.
Te5 release BI
~
Tol
Aytomatic Train Protection (ATP) eQyipment model
Te4 relea.seON
~D
seg4
~ Bl
U •
J-enusslOnT BI synchronized with
Fig 4: interface model synchronized with environment model.
seg3 Te3
transmitting in B loop
~
'~~ Bl
~
Te3
Interface
seg 8
Consider our example of a logic block which is decomposed into two subfunctions:
Fig 3 : Interface model. The model of interface, will be integrated in the model environment. The firing of a transition of the environment model places a mark in the corresponding place of the interface model. This mark may be consulted or used by the
- occupancy and release model, - alann model.
137
T-C!!-released
alteration of the transItIOn condition for simulating the occurrence of an untimely remote control,
T-C!!- occupied
- addition or deletion of arcs.
Cl -occupied
Fig 5: Block occupancy model
For instance, the deletion of the arc between the Te3 transition of the environment model and B place of the interface model simulates the absence of train transmission into B 1 loop. In this case, we check in the ATP model that the alarm model reacts correctly and puts the mark into the alarm place.
If we look at the figure 5, the occupancy state of the block is intuitively equivalent to the B loop receiving a permanent signal from the train (anticollision antenna). The designer must take into account the antenna failures. When the train cuts the DN (Infrared barrier) without transmitting a signal to B loop, the block must be declared occupied . These conditions are implemented in the condition of the TCll-occupancy transition. The block is declared as released when the train leaves sequentially Band B2 loops.
Model operation We have developed a tool called "SIMPAR" which allows to calculate a set of reachable states in the direct and reverse way from any initial state.
Reachable graph The alarm model (fig 6) can be coupled with the occupancy model. It must generate an alarm if the train interrupt the transmission into the B loop while the occupancy place in the model hold a mark. This condition IS implemented in the T-alarm transition.
The direct reachable graph can be used to check if the set of undesirable marking (safety criteria) is reached from an initial state by a legal sequence of transitions firing. The backward reachable graph allows to determine from an undesirable state the different ways which are the origin of this undesirable marking. The backward reachable graph shows if the model can generate these undesirable states.
not-alarm T-nOI-alarm
T-aJarm cond C 11-~upied andB
condB and Cll-reJeased and acquinemenl
Factual simulation
alann
In unmanned transportation systems, remote controls are necessary to improve the operation of the system. Unfortunately, hazardous situations may result from an incorrect use of certain remote controls . For instance the initialization remote control can cancel certain safety alarms such as a call for emergency evacuation.
Fig 6: Block alarm model The different conditions associated to the transitions associate loops signals and the states of some places from the models (environment, interface and ATP model).
Adding failures in the model
We can act on the model evolution by modifying a condition which enables the firing of a transition. The user can introduce an untimely remote control in the transitions predicate in order to evaluate the hazards resulting from such a remote control.
The failures can be modelled in the Petri nets. They correspond to the loss of a mark or to the generation of a spurious mark. In the model, the add failures will be obtained by different ways: - addition or deletion of transitions,
138
It's possible to simulate step by step the evolution of the Petri nets marking and choose the time where we can introduce failures or untimely remote controls.
is cut by a train which is not transmitting in the B loop. This case is described in the interface model by the DN and B 1 places which are not marked. In the normal case, the train transmits in the B 1 loop before cutting the DN barrier.
Sequential execution Qf the different models.
in the ATP model, the occupancy place is not marked.
It is always necessary to execute the different tasks in a defined order. Generally this order corresponds to the cyclic system behaviour. Each task can be modelled by a Petri net. In this case, we use the place called "macro-place". Each macro-place represents a Petri net model describing a subfunction. When the "macro-place" is marked the associated Petri net evolves until a stable marking is reached and puts the mark in the next macro-place. Sequentially the mark moves from one macro-place to another.
We check that this marking is never reached in the normal sequence of transitions firing. and if we introduce failures to obtain this marking, we check that the corresponding alarm is set.
Conclusion We have exposed the different ways to use Petri nets to examine and eventually to complete the safety study achieved by the constructor. The use of Petri nets allows to analyse properties such as safety and to help in determining a possible sequence of failures which can lead to accidents. The first benefit of the use of Petri nets is to understand exactly and criticize the manufacturer's specification of the safety functions. The second is the possibility of showing the eventually dangerous configurations.
Validation approach Individually, each subfunction is validated according to its specification. We check that the model corresponds to the specification and safeguards a set of safety criteria. We validate a nominal function of the system. Then the model is submitted to aggressive scenarios by introducing failures of equipment, spurious remote controls and some particular operating modes.
References M. EL KOURSI (1987) "Application des
reseaux de Petri a commandecontrole de processus en securite" APII, 1987, N°21.
Sq(ety criteria and undesirable link.
markin~
B.FAYOLLE & M. ELKOURSI (1991)
"Specification et Validation fonctionnelle des automatismes de securite", RTS, N° 33, 1992.
Firstly, We look for the set of undesirable marking and check if these marks may occur in the nominal configuration.
B.LETRUNG (1986)
"Analyse de securite du logiciel par reseau de Petri" INRETS, CR/A86.50, janvier 1986. B.LETRUNG (1989) "Approval procedures for automatic equipment of un manned metro system IF AC, CCCT'89 Paris.
For instance: C 10 is a criterion which stipulates that a train without transmitter must be detected in the block entrance. At this criterion, we attach an Undesirable Marking UMI0.
UM10 := [ Not(DN), Not(8l), Cllreleased] This marking describes the following situation: in the environment model and interface model, the DN (infrared barrier)
139