Model-Based Safety Analysis of Movement Authority Scenario in TcCBTC system

Train-centric communication based train control (TcCBTC) system contains a variety of uncertain factors in the operation process, and the generation scenario of movement authority is a real-time process. In order to judge the impact of uncertain factors on system safety, it is necessary to conduct formal modeling and analysis for this implementation process. Aiming at the modeling and analysis of the system in an uncertain environment, firstly, the implementation process of TcCBTC movement authority was analyzed, and the hazard source identification is carried out by combining the hazard and operability study (HAZOP) method. Secondly, the movement authority generation process is modeled based on the stochastic hybrid automata theory, and the statistical sample data are simulated in UPPAAL-SMC. Finally, the statistical model checking algorithm was used to analyze the model quantitatively. The results showed that the model could meet the functional attribute requirements of movement authority generation in TcCBTC system, and describe the uncertain environment in the process of system operation. SMC method could quickly verify the impact of uncertain factors on the system, and provide a certain theoretical basis for subsequent TcCBTC system development and relevant specifications.


Introduction
Train operation control system is one of the important technical means to ensure the safe and efficient operation of trains on the line. In recent years, the research on TcCBTC system has become a hot spot in the industry. The system simplifies the trackside equipment, and integrates the interlocking calculation and movement authority generation functions into the on-board, and uses wireless communication technology to realize the information interaction between trains, which shorten the train tracing interval. At present, TcCBTC system is in the stage of vigorous research and development, and the potential defects in its system requirements specification will bring risks to normal operation of the system. Moreover, the wireless communication between two different subsystems has random uncertain behavior. Therefore, it is the premise of successful development of TcCBTC system that modeling and verifying the system running in an uncertain environment, subsequently finding its potential defects.
EN50128 points out that 'when the software safety integrity level (SIL) of the system is level 3 or level 4, it is strongly recommended to use formal methods to analyze and verify the system' [1]. The focus of existing research on train control system modeling is not unified, and there is less analysis of system failure caused by random fault. Aiming at the modeling and analysis of movement authority generation scenario in uncertain environment, this paper takes stochastic hybrid automata theory as the modeling basis and statistical model detection as the safety analysis basis to formally model the continuous behavior, discrete behavior and random behavior of movement authority scenario in TcCBTC system, The influence of uncertain factors on the system model is analyzed quantitatively.

Stochastic hybrid automata model
Stochastic hybrid automata (SHA) comes from timed automata [2]. Its clock can be converted into different ratios in different states. The transition action between states can be expressed by discrete probability. The random semantics of SHA connects the probability distribution with the delay of a given state and the transition between states. It is widely used to model hybrid systems with random behavior. SHA model communicates with each other through broadcast channels and shared variables to form a network of stochastic hybrid automata (NSHA). The SHA model of TcCBTC system consists of a seven tuple < L, l 0 , X, Σ, E, F, I > [3]. Where L is the finite location set of TcCBTC subsystem, l 0 ∈ L is the initial position, X is the set of continuous variables, real-time clock, Σ is a finite set of input and output actions, that is, guards, E is a finite set of migrating edges, F(l) is a function of time delay in position, I (l) represents an invariant on position.

Satistical model checking
Statistical model checking (SMC) is a model-based safety analysis method, which is regarded as the balance between testing and formal verification. In recent years, the methods based on NSHA and SMC have been widely used to solve the probability evaluation problem of safety critical systems [4]. The principle is that using the simulation-based method to simulate the system for many times to verify whether the model meets the specific properties, and evaluate the probability interval of meeting a certain attribute in the random operation process of NSHA model through the algorithm. If NSHA is defined as system model M, then M runs randomly and the probability of satisfying the attribute ψ is P M (ψ). SMC algorithm performs a sufficient number of TcCBTC system model simulation runs at a predetermined significance level to obtain statistical evidence to test quantitative properties.
UPPAAL-SMC, a tool for statistical model checking, is a model checking tool built by David et al. combined with the principle of timed automata and SMC algorithm [5]. UPPAAL-SMC supports checking the quantitative attributes of the model on the basis of UPPAAL. Compared with other model checking tools, UPPAAL-SMC can provide a formal description of the random mixing characteristics of time systems, and has the advantages of modeling system in real-time, concurrency, hybrid-oriented and uncertain environment. It also allows users to use query statements to evaluate the probability that the established model meets a certain attribute, and visualize the value of the result in the window.

Overview of system requirements
Movement authority (MA) is the basis of safe train operation, which directly affects the calculation of train headway, speed and train emergency braking curve. Before modeling and analyzing the MA generation scenario, we should first fully consider the system requirements, because the model established by formalization should be able to intuitively and accurately reflect the abstract attributes of the actual system. It is the starting point of formal modeling that understanding the system requirements.
In the process of MA generation, the most important thing is to obtain the conditions restricting the safe operation of the train, that is, the status and position information of obstacles. The specific process is described as follows: after the train goes online, the intelligent vehicle on board controller (IVOC) of train 1 applies for route from the dynamic capacity decision subsystem (DCD), and receives and analyzes the operation plan information sent by DCD. Train 1 requests to communicate with train control resource management unit (RMU), which receives and stores the basic information of train 1 and forwards all train information in the line to train 1. Subsequently, IVOC1 establishes communication with object controller (OC), queries trackside equipment status and requisitions movable resources [6]. The purpose of train sieving is to find out whether there are hidden trains in front of and behind the train within the shortest train length. During the actual operation of the train, the location reported to the onboard will have a certain measurement error, so it is necessary to calculate the safety location of the train. The front train identification module can identify the only front train of train 1 through information interaction with DCD and electronic map, and maintain periodic communication with the front train within the communication range. The ergodic obstacle module determines the terminal obstacle type in front of train 1 according to the above received information, and obtains the end of authority (EOA) position according to the ergodic results. Finally, MA information is calculated in real time through the received temporary speed restriction and other information, and ATP (automatic train protection) curve is generated to control the safe operation of the train. After analysis, the subsystems involved in MA calculation mainly include DCD, RMU, OC, IVOC1 and IVOC2. IVOC1 includes train sieving module, safety location calculation module, front train identification module and ergodic obstacle module.

NSHA model generated by Movement Authority
The corresponding NAHS model is established according to the demand analysis, as shown in figure 1. Figure 1 (a) shows the DCD model of the subsystem. Firstly, after receiving the dcdcheck sent by IVOC1, the DCD subsystem performs fault inspection, which the time required for this operation follows the exponential distribution of t44. The subsystem transfers to the 'error' state with the probability weight of parameterdcd1. If the subsystem is normal, DCD will send dcdpass information to IVOC1, and the location will be transferred to conDI. When receiving the application route request connectplan from IVOC1, DCD takes exp (t44) time to perform the necessary calculation and storage, and the probability weight of successfully sending the operation plan information plan to IVOC1 is paravehicleland. And it is necessary to set 'end-to-end transmission delay' on SendPlan, i.e. exp (t22). Figure 1  the on-board subsystem obtains the temporary speed restriction and other information, it sends GetData information to start the terminal obstacle calculation. If there is no platform within the train path, the EOA is the safe rear position of the front train. If there is a platform within the route inquiry range, the EOA is the beginning of axle counter in the platform area. After the EOA judgment is completed, the MA information is output. In this process, the information has the probability of loss with the weight of loss1. Finally, MA generation is represented by the output of MAinfor information. In case of subsystem failure and communication failure, the consequences caused by the failure shall be determined according to the HAZOP analysis results, and the corresponding collision, derailed and overspeed information shall be output. After receiving such information, the on-board IVOC1 will be in the position of fault1, prompting the corresponding modules for maintenance, and the train shall brake in time. The errors in the model can be modified in time according to the simulation operation. Deadlock is a priority attribute when verifying and analyzing the system model. Once the system enters the deadlock state during operation, other states including normal operation state will not appear. The model checking tool UPPAAL-SMC provides the query statements shown in equation (1) for deadlock verification, and the verification result meets this property. The safety of the system is further analyzed. It can be seen that the final state of the model includes output MA information and output system fault information. It is verified by equation (2), and the result is passed. [ On the premise of passing the above verification, the system is simulated. According to the description of MA generation scenario and the communication cycle between devices, the time period for completing mobile authorization is no more than 3000 ms. The system operation was simulated through equation (3) for 10000 times, the system output is normal within 3000 ms, that is, the time distribution of reaching the position getMA. The simulation results are shown in figure 2. It can be seen that the normal time of system output is scattered between 600-3000 ms.
[   It can be seen that the smaller the delay, the longer the waiting time required to leave the location. Reference [7] shows that the value of end-to-end transmission delay is < 150ms (98%), so set t11 = t22 = t33 ≈ 0.02. Because the information processing time and subsystem parameters are constantly changing in train operation process, this paper mainly analyzes the impact of information processing time and fault parameters on the system. Setting the fault probability weight para-= loss1 = p in figure  1, and the magnitude of the fault probability is 10 -8 . Changing the values of parameters p and t44, and calculating the reachability probability of MA generation failure in UPPAAL-SMC, that is, P(fault) = 1-pr [< = 3000] (< > IVOC1.getMA). The experimental results are shown in table 2. The analysis shows that the existence of uncertain factors such as subsystem failure, communication failure, communication delay and communication packet loss have great influence on the generation process of MA. Therefore, the values of the above parameters should be adjusted to make the system reach the corresponding quantitative safety index when designing the system.
When the failure probability is 9 × 10 -8 , t44 = 0.02, the calculated probability interval is [0.998 998, 0.999 998] through 12837 simulation runs, and the relationship between running time and cumulative probability is obtained, as shown in figure 3. It can be seen that the time interval when the system has MA information output is [600,3000]. The probability of MA calculation success in the first 900 ms is very small, reaching 99.9% at 2709 ms, and finally about 0.9 999 982 449 at 3000 ms, which meets the quantitative safety level QSL4 (failure probability < 10 -5 ) [8].

Conclusion
According to the safety requirements of MA generation scenario, the uncertain factors existing in the interactive information between subsystems are analyzed by HAZOP method, and the causes and consequences of dangerous events are determined. Based on the principle of SHA and the results of safety requirements analysis, an NSHA model for MA generation is established, which dynamically describes the uncertain environment in the process of system operation. Finally, the above system model is analyzed qualitatively and quantitatively with the SMC safety analysis method. The results show that the system is affected by uncertain factors during operation. In order to meet the corresponding quantitative security level at the early stage of TcCBTC system design, the parameter values of uncertain factors should be set within a reasonable range, the communication delay between subsystems should be reduced and the speed of software processing data information should be improved. The method proposed in this paper can realize the safety analysis of TcCBTC system, has certain application value, and provides a theoretical basis for the further research of TcCBTC system.