AVACS Logo

Sigref – A Symbolic Bisimulation Tool

  • Overview
  • Publications
  • Benchmarks
  • Software
  • Model descriptions
  • Contact

  • Overview

    Sigref is a novel tool for the bisimulation minimization of labelled transition systems. The novelty of Sigref is that it is designed for symbolic representations of labelled transition systems (i.e., using BDDs). Sigref supports several notions of bisimulation equivalence, among which are the most prominent ones, e.g., strong, weak, and branching bisimulation. The most appealing property of Sigref is that all supported bisimulation types are handled within a uniform framework based on signatures. Hence, Sigref is also easily extendible to new types of bisimulation by just formulating the appropriate signature. The development of Sigref is tightly coupled to AVACS::S3, a sub-project of the German Transregional Colloborative Research Center 14 AVACS, devoted to Automatic Verification and Analysis of Complex Systems. For details, please check [www.avacs.org]

  • Publications

    The following publications contain details about the implementation and performance of Sigref:

    • M. Herbstritt, R. Wimmer, T. Peikenkamp, E. Böde, M. Adelaide, S. Johr, H. Hermanns, B. Becker
      Analysis of Large Safety-Critical Systems: A Quantitative Approach
      Reports of SFB/TR 14 AVACS Nr. 8 (siehe www.avacs.org), 2006, ISSN 1860-9821 (pdf, bibtex)
    • R. Wimmer, M. Herbstritt, B. Becker
      Minimization of Large State Spaces using Symbolic Branching Bisimulation
      Proceedings of the 9th IEEE Workshop on Design & Diagnostics of Electronic Circuits & Systems, April 2006 (pdf@IEEE-Xplore, bibtex)
    • Eckard Böde, Marc Herbstritt, Holger Hermanns, Sven Johr, Thomas Peikenkamp, Reza Pulungan, Ralf Wimmer, Bernd Becker
      Compositional Performability Evaluation for Statemate
      Proceedings of the 3rd International Conference on Quantitative Evaluation of Systems (QEST), Sept. 2006 (bibtex)
      • R. Wimmer, M. Herbstritt, H. Hermanns, K. Strampp, B. Becker
      Sigref - A Symbolic Bisimulation Tool Box
      Proceedings of the 4th International Symposium on Automated Technology for Verification and Analysis (ATVA), October 23-26, 2006, Beijing, China (pdf@Springer, bibtex)

    Further publications related to AVACS can be obtained from the [AVACS publication browser]

  • Benchmarks

    The following examples were mentioned in our current submission to TACAS 2007. The xml-files contain the BDD description for the labelled transition system. For the Statemate examples, there is also a brief description available.

    model description xml-file
    ETCS-1 etcs-1.xml
    ETCS-2 etcs-2.xml
    ETCS-3 etcs-3.xml
    BS-P bs-p.xml
    Kanban-4 kanban-4.xml
    Kanban-5 kanban-5.xml
    Kanban-6 kanban-6.xml
    Kanban-7 kanban-7.xml
    Kanban-8 kanban-8.xml
    Kanban-9 kanban-9.xml
    Milner-4 milner-4.xml
    Milner-5 milner-5.xml
    Milner-6 milner-6.xml
    Milner-7 milner-7.xml
    Milner-8 milner-8.xml

    A DTD for the xml-format can be found [here].

  • Software Download

    Sigref is publicly available, but please respect our wish to know to whom we have distributed the software. Hence, we really appreciate that you complete the following formular. After submitting the data, you will be directed to a website for downloading Sigref. Your submitted data will be kept secure.

    Please complete the following form:
    1. First name
    2. Last name
    3. Institution
    4. City
    5. Country
    5. Usage
    6. E-mail address

  • Model descriptions

    ETCS models

    Overview

    The model targets the problem of having more than one train on the same track. It is scalable so that arbitrary many trains can be handled. The analysis should check the collision of trains. In this work we focused on three instantiations having one, two, or three trains.

    There is a controlling unit for the track, named RBC (Radio Block Center). This unit and the working principle are part of the ETCS (European Train Control System) standard (see e.g. [ERTMS/ETCS]). This controller works that way that it gets the actual position of each moving train. To authorize a train to move on, it sends an authorization message. The idea is that the RBC only sends a moving authorization if it got the position from the previous train. Since a train is only allowed to send its new position if it is moving, each train can only move if the previous trains did already move before.

    With these assumptions (which are made to simplify the model) that a train can either move with full speed or doesn't move, and that the track the train is moving after getting a authorization from the RBC is constant, the safety requirement is much more simple (and needs no calculation of the exact position of one train): The train is safe if it only moves after getting the authorization from the RBC and if the RBC only sends a new authorization if it got an position notification from the previous train.

    This requirement is monitored by an observer. The observer also controls that the train does not stop if the track is free.
    There are some failures which can lead into faulty and unsafe behavior. For example the communication between the RBC and the trains can be lost.

    Model Description

    Main Chart

    The MAIN_CHART comprises the trains, a MAIN_OBSERVER, and an initializer, responsible for giving the first train on the track the authority to move on. The initializer simply fires the FREE_PLACE event, if the condition WAIT_FREE_PLACE_FM from the environment is set. The MAIN_OBSERVER waits for the FAILURE event from a train. The only thing it has to do is catch all failures from the trains and switch to its FAILURE state.

    Structure of Trains

    There is one activity chart for each train. It is split into three parallel ones. The first represents the RBC-communication part for this train, the second the train itself, and the third the observer. Each activity chart gets an input MOVE_FROM_PRED from the activity chart of the train in front of it, and sends an output MOVE_TO_NEXT to activity chart belonging to the train behind it. Furthermore every activity charts gets eight different conditions as input, representing the environmental behavior, which can not be directly influenced by the controller. This might be the expected, or an faulty behavior.

    FREE_PLACE
    This condition should be set, if there is a free place at the start of the track section.
    TRANS_SUCCEEDS
    Will be set, if the transmission from the train to the RBC is successful.
    TRANS_FAILS
    Will be set, if the transmission from the train to the RBC is not successful. This failure mode can lead into a faulty behavior.
    ERROR_STARTS
    Will be set, if an internal error inside the RBC occurs. The normal way to handle such an error is, to restart the RBC.
    ERROR_ENDS
    Will be set, if an internal error inside the RBC is repaired (for example, if the RBC was restarted).
    CONN_LOSS_STARTS
    Will be set, if the connection between the RBC and the train is lost.
    CONN_LOSS_ENDS
    Will be set, if the connection between the RBC and the train is restored. It is assumed, that the RBC is in its idle state, when the connection is reestablished.
    BRAKE
    Will be set, if the train does not get a new moving authorization, for some time.
    REPORT
    Will be set, when all necessary information for a new position report to the RBC are collected.

    RBC Communication

    Most of the environmental behavior influences the communication behavior between the train and the RBC. Normally the RBC part, responsible for the train, is idle (state IDLE). If it receives a position information from the train in front of it (event MOVE_FROM_PRED), is tries to transmit a moving authorization. Depending to the environmental behavior, this either fails, or succeeds (conditions TRANS_FAILS or TRANS_SUCCEEDS). The moving authorization will be submitted as an event (MOVE) to the parallel state which represents the train. If a train sends its position report to the RBC, an event (MOVE_TO_NEXT) is send to the next.

    There are two types of errors, which can make the communication not work. If the condition ERROR_STARTS is set, no communication between the train and the RBC is possible, due to an internal error of the RBC. The same applies when the condition CONN_LOSS_STARTS is set, indicating a connection loss. The loss of connection has a higher priority, because it does not matter, whether the RBC works correct or not, when there is no connection. To return into normal (connected) behavior, the conditions ERROR_ENDS or CONN_LOSS_ENDS have to be set.

    Train

    The train is separated in two parallel parts. The first controls the moving of the train. After getting a the MOVE event from the RBC communication part, the train is in the MOVING state until the BRAKE condition is set. After that the train waits in the BRAKING state until a new moving authorization is given. The second part controls the position reports. If the parallel chart is in state MOVING, a new position is reported (via the POSITION event). After that, the train has to wait in the state REPORT_SENT for the a new REPORT event, which indicates, that all necessary information for a new report are collected. Then it changes to the REPORT_READY state, form which it can again send a new position report (under the condition of being in the MOVING state).

    Observer

    The observer has two parallel states, one observing the correct sending of a moving authorization, and the other observing the correct sending of a position report. The moving authorization is observed by making sure, that the MOVE_FROM_PRED event is followed by the MOVE event. This is done by two exclusive states (WAIT_FROM_PRED and WAIT_FOR_MOVE). If one of the events is set without the other the chart switches to a failures state, and fires a FAILURE event to the MAIN OBSERVER. The position report is observed in a similar way. Here the events POSITION and MOVE_TO_NEXT have to occur alternating. If not the chart switches in a failure state again, and the FAILURE event is fired to the MAIN OBSERVER.

    Braking-system models

    Model Description

    The braking system is taken from the case study used in the ARP 4761. The job of the system is to provide hydraulic pressure to the wheels of the aircraft, whenever the pilot pushes the braking pedals. The autobraking mode, where the pilot specifies a deceleration rate and the braking system computes the necessary braking commands itself, is not considered.

    Figure 1: The main activity chart of the braking system

    The system consists three redundant hydraulic pressure lines, various valves and a computer called BSCU (Braking System Command Unit), which computes braking and anti-skid commands based on the pilot input. The structure of the system is shown in figure 1. The inputs to the system are supplied by three external activities. POWER supplies electrical power needed by the BSCU via two redundant lines PWR_1 and PWR_2. Hydraulic pressure (HYDRAULIC) is supplied from three independent lines, the green or normal line (GREEN_PRESSURE_IN), the blue or alternate line (BLUE_PRESSURE_IN) and the emergency line (EMERGENCY_PRESSURE_IN). Note that this is a small difference to the original system given in the ARP, as the emergency pressure is supplied from inside the system there. The remaining inputs are given by the PILOT. These are the braking command specified via the position of the braking pedals (PEDAL_POS), the manual mode selection (MODE_SELECTION, see below) and the deceleration rate for the autobraking (AB_DECEL_RATE, currently unused). The output of the system is the hydraulic pressure applied to the wheels. Pressure can be supplied via two redundant lines, GREEN_PRESSURE_OUT and BLUE_PRESSURE_OUT. These lines are driven by the three different operational modes, corresponding to the three input pressure lines.

    The normal mode is driven by the green pressure line and is completely controlled by the BSCU. When the BSCU or the green pressure line fails, the alternate mode engages. Pressure is supplied via the blue hydraulic line, basic braking commands are now directly controlled by the pilot. The BSCU will add anti skid commands if it is working. When the blue pressure failes, the emergency pressure kicks in which also drives the blue output pressure. In emergency mode, anti skid is disabled, regardsless of the BSCU state. Mode switches are controlled by the SELECTOR_VALVE_AC. It switches to the next available pressure line, when the currently active on fails. Switching is monotonic in this version of the model - the system starts in normal mode and can only switch ``down'' to the next available mode, not back. When the BSCU stops operating, it sends a shutoff signal to the SHUT_OFF_SELECTOR_VALVE_AC valve, which inhibits the green pressure to reach the selector valve, thus deactivating the normal mode.

    The implementation of the BSCU is shown in figure 2. It consists of two redundant computation units (COMMAND_1_AC and COMMAND_2_AC), two monitoring units (MONITOR_1_AC and MONITOR_2_AC), the logic to chose between these two lines (SELECT_CMD_AC) and the shutoff monitor (SHUTOFF_AC). In the current implementation, each command unit simply copies the braking command given by the pedal position. The monitoring units compute a reference command in the same way and compare it to the output of the command units. As soon as those commands differ, the corresponding invalid signal is set (INVALID_1 or INVALID_2). The switching unit selects the command computed by the first command unit, unless the INVALID_1 signal is set. As soon as both invalid signals are set, the shutoff unit sets the shutoff signal.

    Figure 2: The implementation of the braking system control unit

    Safety Analysis

    There are two safety requirements which are considered in the analysis of the braking system. The first requirement under consideration is the shutoff of the BSCU. The following failure modes are considered for this analysis:

    • failure of the command computation (CMD_{1,2})
    • failure of the anti skid command computation (AS_CMD_{1,2})
    • failure of the monitor command computation (MON_{1,2}_CMD)


    The analysis generated the quotient shown in figure 3.

    Figure 3: The quotient for the BSCU shutoff

    The second safety requirement under consideration is the complete loss of braking commands. The failure modes under considertation are the same as above and additionally:

    • failure of the invalid signals (INVALID_{1,2}),
    • failure of the command selection switch (SELECT_CMD_2)
    • failure of electrical power (PWR_{1,2})
    • failure of hydraulic pressure ({GREEN,BLUE,EMERGENCY}_PRESSURE_IN)
    • manual mode selection (MODE_SELECTION)

  • Contact

    In case of questions, don't hesitate to drop an email to wimmer@informatik.uni-freiburg.de.

  • Valid XHTML 1.0! Valid CSS!