See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/220952907

A Train Control System Case Study in Model-Based Real Time System Desig.

Conference Paper · January 2003

DOI: 10.1109/IPDPS.2003.1213234 · Source: DBLP

CITATIONS READS

55 826

2 authors:

Armin Zimmermann Günter Hommel

Technische Universität Ilmenau Technische Universität Berlin
148 PUBLICATIONS   1,383 CITATIONS    199 PUBLICATIONS   2,751 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

TimeNET View project

Model-Based Reliability Evaluation View project

All content following this page was uploaded by Armin Zimmermann on 20 May 2014.

The user has requested enhancement of the downloaded file.

 A Train Control System Case Study
in Model-Based Real Time System Design

Armin Zimmermann and Günter Hommel

Real-Time Systems and Robotics Group

Technische Universität Berlin
Einsteinufer 17, D-10587 Berlin, Germany
E-mail: azi hommel @cs.tu-berlin.de

Abstract and control centers are connected by mobile communica-

tion links. The safety of passengers depends on the commu-
The future European Train Control System (ETCS) will nication system reliability. Real-time communication and
be based on mobile communication and overcome fixed information processing play a major role for the implemen-
blocks in order to increase track utilization and interoper- tation of ETCS. The case study presented in this paper is
ability throughout Europe. Data processing on board the thus a truly distributed real-time system.
train and in radio block centers as well as the radio com- The importance of quality of service parameters for the
munication link are crucial factors for the safe and effi- communication and specification of the real-time behavior
cient operation. Their real-time behavior under inevitable of subsystems has been addressed in the specifications of
link failures needs to be modeled and evaluated. The pa- ETCS (see e.g. [10, 11]). The requirements are however not
per presents a first simplified model of communication fail- very detailed, e.g. no distributions are considered, but only
ure and recover behavior as well as safety-critical data ex- probabilities of meeting certain deadlines. While it is im-
change. Performance evaluation of the stochastic Petri net portant to specify subsystem characteristics, the real-time
model shows that the official quality of service specifica- behavior of the system as a whole can only be assessed by
tions may lead to a bad utilization. looking at their interaction. This paper goes a first step into
that direction by evaluating one safety-critical communica-
tion structure together with its failure behavior.
1. Introduction In addition to offer interoperability between the differ-
ent European railroad companies, another major goal is to
Train control is an important part of the railway oper- increase track utilization with higher throughput of high-
ations management system. Traditionally it connects the speed trains. It is obvious that dropping the standard block
fixed signaling infrastructure with the trains. With the Eu- synchronization of trains and migrating to a virtual block
ropean Union ERTMS/ETCS project (European Rail Traf- system has the potential of allowing closer distances be-
fic Management System/European Train Control System), tween trains. However, we show that the anticipation of
a standardised European train control system is designed, driving in brake distance behind another train cannot be
which will gradually replace the great number of differ- reached with ETCS under worst-case assumptions.
ent train control systems in use today. It will allow trains The mentioned evaluations can only be done using some
to cross borders without the need to change locomotive or kind of model, independent of whether it is a simulation
driver, as it is still necessary today. The system forms the program or based on a formal modeling technique. In this
cornerstone of a common system for train control and traffic paper variants of stochastic Petri nets [1, 5] are used to de-
management. scribe the functional and timing behavior of ETCS train
At the final stage of ETCS implementation throughout communication.
Europe, more or less all train control infrastructure will Petri nets [22] and their stochastic timed extensions have
be either on-board the trains or distributed in control cen- proven to be a useful formalism for real-time systems. They
ters. There is no need for optical signals, wheel counters, are considered to describe discrete event systems in a con-
or a fixed arrangement of track parts into blocks. Trains cise and appropriate way. An additional advantage is the

0-7695-1926-1/03/$17.00 (C) 2003 IEEE

availability of many different analysis and simulation tech- 2. The European Train Control System
niques as well as software tools. However, the drawbacks of
the different evaluation techniques appear for the presented In order to facilitate fast and efficient train traffic across
example as well. Petri nets have been used in the context borders in Europe, a unified European Train Control Sys-
of real-time systems many times, see e.g. [3, 15, 19]. A tem (ETCS) [10] is under development in several European
comparison between continuous and discrete time stochas- countries. ETCS is the core part of the more general Euro-
tic Petri nets for real-time systems was given in a previous pean Railway Traffic Management System (ERTMS). The
paper [27]. normal fixed block operation with mechanical elements,
Most of the work in the area of train control systems interlockings and optical signals will be substituted by a
deals with qualitative aspects like validation of correctness, radio-based computerized train control system. The sys-
absence of forbidden safety-critical states etc. Yet in a real- tem receives commands about the train routes that are to be
time system like a distributed communication-based train set, and then directs wayside objects along these routes. To
control system, critical safety questions can only be an- simplify migration to the new standard, ETCS defines three
swered when also quantitative aspects are considered and levels of operation.
evaluated. Failures and other external influences on the ETCS Level 1 uses spot transmission of information to
model require stochastic model values, but fixed values for the train via passive transponders. It is a supplement for
deadlines or known processing times are equally important. the conventional, existing trackside signaling technology
Modeling and evaluation techniques need to support both in for lines with low to moderate train density. The block sec-
order to be applicable in this area. tions are defined by the existing signaling system. This level
In [17, 20] the ETCS communication structure is mod- increases safety against passing signals at danger and in ar-
eled with colored Petri nets. The model is used for a divi- eas of speed restriction.
sion of the system into modules, visualization of the func- With the ETCS Level 2 system, radio communication re-
tional behavior, and a check of different scenarios. places the traditional trackside signals, which allows con-
A verification of the radio-based signaling system to- siderable savings in infrastructure and maintenance costs.
gether with a case study of a rail/street crossing is carried The system enhances safety considerably by monitoring
out in [8]. Live sequence charts are used to model the sys- train speed and, if necessary, intervening automatically.
tem, which is analyzed with the S TATEMATE software tool. This allows higher speeds and shorter headways and thus in-
The ETCS radio block center is formally modeled and creases capacity. The traffic management system processes
validated in [4]. Message sequence charts are used to model and sends information and instructions for the train driver
and check different scenarios. directly onto a monitor in the drivers cab via radio com-
The ETCS train traffic is compared with today’s standard munication. A Radio Block Center (RBC) traces the lo-
train control operations in Germany in a simulation study cation of each controlled train within its area. The RBC
of Deutsche Bahn (German railways company) [23]. Using determines and transmits track description and movement
a proprietary simulation program, the movement of a set authorities according to the underlying signaling system for
of trains through an example line is simulated. The results each controlled train individually. The first ETCS Level 2
say that ETCS operation in its final stage will increase track track has been installed between Olten and Luzern, Switzer-
utilization by about 30% for the example. However, the land in April 2002 for Swiss Federal Railways (SBB).
communication is not modeled, and failures are not taken ETCS Level 3 additionally takes over functions such as
into account. the spacing of trains. No trackside monitoring system is
Modeling and evaluation of complex systems is only fea- necessary as trains actively report their head and tail posi-
sible with the support of appropriate software tools. Design, tions as well as train integrity to control centers. Moving
analysis and simulation of the models presented in the pa- block can be applied to increase line capacity. An essen-
per is done using the tool TimeNET [26]). It offers non- tial advantage of level 3 is the reduction in life cycle costs
Markovian uncolored and colored Petri net modeling and through the abolition of the devices for track occupancy
numerical analysis as well as simulation algorithms. monitoring and trackside signals. The only trackside hard-
The remainder of the paper is organized as follows: After ware necessary are so-called balises, small track-mounted
a brief overview of the ETCS communication architecture, a spot devices which communicate their identity and exact
model for the communication system failures is developed position to trains that drive over them. They are used to
an analyzed in Section 3. A condensed model is derived re-calibrate the on-board position tracking system, which
from the results in the sequel. Section 5 describes how a otherwise relies on wheel sensors and can thus be inaccu-
safety-critical part of the ETCS communication system is rate during a longer trip.
modeled and presents results of a real-time behavior evalu- Figure 1 depicts a simplified view of the communication
ation. architecture underlying ETCS. Each train features a train

0-7695-1926-1/03/$17.00 (C) 2003 IEEE

 3. An ETCS Communication System
Train Failure Model

The ability to exchange data packets with position and

integrity reports as well as movement authority packets will
GSM−R
be crucial for the reliable operation of ETCS. In this sec-
BSC tion, a quantitative model of the failure and recovery be-
BTS BTS havior of the communication base system is presented and
ISDN network
analyzed. The results will be used in the subsequent sec-
RBC tion to examine moving block operation and the necessary
data exchange while taking into account the reliability of
Figure 1. Simplified ETCS communication ar- the communication channel.
chitecture The model is based on the following sources of informa-
tion about the qualitative and quantitative behavior of the
communication system and its failures:

integrity control system and a computer that can control A Quality of Service parameter specification (maxi-
train speed. It communicates via GSM-R radio with base mum connection establishment delay etc.) is given in
transceiver stations (BTS), which are connected to base sta- the Euroradio form fit functional interface specifica-
tion controllers (BSC) by cable. The BSCs are communi- tion (FFFIS) [11].
cating with radio block centers via ISDN.
Allowed parameter ranges for some system design
Radio Block Centers (RBC) are the trackside part for ra- variables (like the minimum time between two subse-
dio at ETCS level 2 and 3. Their major functions include quent position reports sent by a train) are specified in
safe train separation based on safe allocation of routes by ERTMS Performance Requirements for Interoperabil-
regulation and interlocking. Position and integrity reports ity [12].
are sent by the trains periodically or upon request. Based
on this information and the train routes, safe track areas are Definitions of requirements of reliability, availability,
assigned to trains. This is done with so-called movement maintainability and safety (RAMS) as well as accept-
authority messages. able numbers of failures per passenger-kilometer due
The European Integrated Railway Radio Enhanced Net- to different reasons can be found in the ERTMS RAMS
work (EIRENE) project was started on behalf of the Eu- Specification [9].
ropean Railways to define a new digital radio standard for Some additional assumptions (mean time to complete
application on the European High Speed Rail System. The the on-board train integrity check etc.) have been taken
EIRENE System Requirements Specification [13] defines from a description of simulation experiments carried
the set of requirements which a railway radio system shall out by the German railways company [23].
comply with in order to ensure interoperability between na-
tional railways. GSM (Global System for Mobile Commu- Another detailed description of communication quality
nications) was chosen as the base technology because of of service parameters is provided in [16], serving as
availability and cost considerations. Additional functions acceptance criteria for future measurements and tests
which are tailored to the needs of railroad use (like area of actual ETCS communication setups.
addressing, automatic international roaming etc) have been
defined as Railway GSM (GSM-R [7]). For up-link and Results of such a quality of service test at a railway
down-link there are different frequency bands reserved for trial site are presented in [24], thus facilitating a com-
GSM-R around 900 MHz. parison with the original requirements. It turns out that
the QoS parameters are in the required range, although
The EURORADIO layer of the communication link often close to and even sometimes worse than the re-
specifies the Radio Communication System requirements quirements. In the following, however, we adopt worst
to the air gap interface between train and trackside equip- case assumptions based on the requirements, because
ment [11, 18]. The MORANE (Mobile Radio for Railway future implementations will be bound to perform as re-
Networks in Europe [21]) project was set up to specify, de- quired.
velop, test and validate prototypes of a new radio system.
Trial sites exist in France, Italy and Germany. Results of The communication link between train and RBC is al-
a quality of service test at one of these sites are presented ways connected in normal operation mode. In that situation
in [24]. the following failures may happen:

0-7695-1926-1/03/$17.00 (C) 2003 IEEE

Transmission errors occur from time to time, possibly Transition endburst models the end of the transmission
due to temporarily bad radio signal conditions. There problem. The delay is assumed to be memoryless and the
is no action necessary, because after a short time the specification requires it to be smaller than one second in
link is operable again. 95% of all cases. Thus the transition is exponential with         

parameter ( ).
 

( / * + 2 3

Connection losses may happen e.g. due to longer radio

The crossing of a cell border and connection setup with
signal problems in areas where the radio coverage is
a new BTS is modeled by transitions cellborder and
not complete. The train hardware detects this state af-
reconnect, respectively. Normally the BTS are situated
ter some timeout and tries to establish a new connec-
a few meters away from the track and have a typical density
tion. There is a slight chance of failing to establish 

of BTS per km. Another source specifies 7 km

such a connection until a certain timeout has elapsed,
* + + + + * + /

as the mean BTS distance, which is adopted here. Unlike

after which the connection establishment procedure
for personal use of a mobile phone, handovers happen quite
starts over again.
often due to the speed of the train. ETCS is required to work
Handovers take place every time the train crosses the bor- for speeds up to 500 km per hour (139 meter per second).
der between the communication areas of two neighbor- Thus the worst-case mean time between two handovers is
ing base transceiver stations (BTS). The train connects 50.4 seconds. The firing delay of cellborder is thus
to the next BTS automatically, but this may take some exponentially distributed with parameter 0.0198 (the mean  ; 

time. delay being equal to ). From the specification we know

that a reconnection is required to take at most 300 msec,
which is taken as a worst case with a deterministic transition
failp estfail 
fail


reconnect.
endburst
Following the specification, a complete connection loss
 


 


takes place only rarely, namely times per hour or

 =

estp establish connect startburst 

per second. The parameter of the exponen-

>
 B

offline + - - @ *

burst
tial transition loss is set accordingly. There is a certain
connected


lossindication handover amount of time needed to detect the communication loss,

which is required to be not greater than one second. This
indicate loss cellborder 

is modeled by the deterministic transition indicate with





one as the fixed delay.
reconnect After being offline, the train communication system tries
to reestablish the link at once. The requirements specify
Figure 2. Failure and recovery model for GSM- that a connection attempt must be successful with proba-
R communication channel bility 99.9%, while in the remaining cases the establish-
ment is canceled after 7.5 seconds and retried. This be-
havior is modeled with immediate transitions carrying the
Figure 2 shows a deterministic and stochastic Petri success/fail probabilities estp and failp, and the deter-
net [2] model of the described behavior. The firing delays ministic transition fail with delay 7.5. Connection es-
and distributions have been chosen as follows. One unit of tablishment times are random, but required to be less than
model time means one second in reality. 5 seconds for 95% of the cases. The corresponding firing
Transition startburst models the beginning of a distribution of transition connect is thus exponential with
transmission error. It has an exponentially distributed fir- parameter 0.6.
ing delay because of the stochastic nature of transmission
The model shown in Figure 2 depicts states and state
errors. The corresponding firing time is comparable to a
transitions of the communication link. The initial state is
mean time to failure of the communication link due to trans-
connected. It is obvious that there will always be ex-
mission errors. The specification requires this value to be
actly one token in the model, letting the Petri net behave
greater than or equal to 7 seconds for 95% of all cases. From
like a state machine, and the reachability graph is isomor-
the density and distribution functions of the exponential dis-
phic to the net structure.
tribution
Because in every marking there is at most one transition
with non-exponentially distributed firing delay enabled, the
 
       
       

and 


model can be numerically analyzed with standard DSPN
we can calculate the necessary parameter value: algorithms [6]. Because of the state machine structure it
   # % ' 

would also be possible to exchange all deterministic tran-

( * + * * - / /

with probability ' * + 2 3

and -

. sitions (delay ) with their exponential “counterpart” (with C

0-7695-1926-1/03/$17.00 (C) 2003 IEEE

 Place/State Probability ok
connected 0.99166


burst
>


+ / * 3 @ *

handover
>


3 + 2 * - @ *

lossindication
>
 B

+ - 3  @ *

 

recover fail
establish
 B

+ 3 2 * @ *

estfail
>
 

+ *   * @ *

Figure 3. Performance results of the commu- failed

nication failure model
Figure 4. Condensed failure model

By doing so, there will be a tradeoff between model com-

   ;

firing rate ), without changing the resulting steady-

C

state probability vector. It could then be analyzed as a sim- plexity and model accuracy. We decided to condense the
ple GSPN [1]. failure model into a two-state system with the basic states
Numerical analysis of the example is computationally in- ok and failed. The corresponding stochastic Petri net
expensive due to its small state space. Despite of the “stiff- (GSPN) is shown in Figure 4.
ness” of the problem (e.g. firing rates of transitions end- The question is then how to specify the transition firing
burst and loss differ by eight orders of magnitude) the rates to minimize the approximation error. The main char-
exact solution is a matter of seconds. A simulation with acteristic of the failure model is the mean availability, which
proper confidence interval control would take quite some shall be equal in the exact and condensed model. Thus the
time because of the mentioned rare events. probability of having one token in place ok needs to be
Table 3 shows the results of the numerical analysis. The 0.99166.
connection is working with a probability of 99.166%. This Even with a correct availability an error can be intro-
is much worse than the required availability of 99.95% as duced by selecting a wrong speed of state changes between
specified in [11]. This requirement is commented to be ok and failed. If the speed would be too high, no cor-
a coverage requirement, although we see from the model rect packet transmission is possible, because a certain undis-
evaluation that already the allowed handover downtimes vi- turbed time (given by the packet length and transmission
olate this requirement. bit rate) is always necessary. The second restriction which
In fact, handovers account for more than 70% of the we impose on the condensed model is thus to keep the
overall unavailability. To avoid their impact on the com- mean sojourn time in state ok exactly as it was in the full
munication link, there are discussions about installing two model. This time is the reciprocal value of the sum of all
independent GSM-R devices in each train. For instance in transition firing rates going out from the state, in our case
 ;                 !  "      !   

the Rome-Naples ETCS installation all electronic units have . ( /  + - -

been duplicated for a higher reliability and availability. The With these two restrictions the transition rates can be eas- 

connection to the next BTS can then be carried out when the ily calculated. Let denote the transition rates and the &

train gets close to the cell border, thus avoiding any offline state probability vector in steady-state.
state due to handovers. Then

4. Derivation of a Condensed Failure Model probabilities: &

! '


* + 2 2


  (

&
! '


& *
 +   "
 

! '  +   +     ! -  
  

balance equations: & * & *

The goal of this paper is to evaluate the operation in mov-   +  



ing block mode (ETCS level 3) under communication fail- sojourn time: *

/  + - -

    ! -   

and thus
>

ures. In the subsequent section a model for the real-time / + / 

communication between trains and radio block centers is

presented. However, its performance evaluation is compu-
tationally expensive, which is in part due to the combina- The model is then completely defined and will be used
tion of the failure model with the normal operation model. as a simplified failure model in the subsequent section.
The failure model as presented in Section 3 is therefore con-
densed into a smaller model in this section, facilitating a less 5. A Moving Block Operation Model
complex evaluation of the combined model. This is possible
because the failure model does not depend on the operation In this section a model of the position report message
model. exchange and emergency braking due to communication

0-7695-1926-1/03/$17.00 (C) 2003 IEEE

problems is developed and analyzed. We are interested in break packet train
deadline d distance error age length
the dependency between maximum throughput of trains and
reliability measures of the communication system. ETCS
is being introduced in order to maximize track utilization
Train2 Train1
by high-speed trains. The maximum utilization will be
distance s
achieved if trains are following each other with a minimum
distance. The question is then how close after each other
can trains be operated under ETCS? We assume in the fol- Figure 5. Train distance and deadline
lowing a continuous track without stops, on which trains
follow each other with a maximum speed (current high- from the distance. Second, when the results of the posi-
speed trains have a maximum speed of 300 km/h) and a tion/integrity report of Train1 arrive at Train2, the informa-
distance . Moreover, for the following considerations we

tion is already some time old. The worst-case delay can be

arbitrarily select w.l.o.g. two trains (Train1 and Train2) that estimated as follows: 5 seconds to complete the integrity
directly follow each other. To ensure safety of the system, check, 2.4 seconds end-to-end delay and 0.13 seconds (32
worst-case assumptions are made for all timings, distances Bytes at 240 Bytes/second) to transfer the message to the
etc. RBC, 0.5 seconds to process the information there, again
Continuous operation is facilitated by the new notion 2.4 + 0.13 seconds for the downlink transfer to Train2 plus
of virtual moving blocks. Because there is no fixed block assumed 0.44 seconds to process the information in the train
assigned to a train, and no physical block borders exist, and start braking if necessary (12 seconds altogether). Then
the train movement is controlled by exchanging messages there is a location error possible in the position report of
with the radio block center (RBC). Each train checks pe- Train1, which cannot exceed 20m due to specifications of
riodically its integrity and sends the integrity information relative error and re-calibration at the balises. The emer-
together with the current position of the train head to the gency braking distance needs to be subtracted as well, being
RBC. The time needed to check the train integrity is spec-  
between 2300 and 2800m depending on the actual speed.
ified to be in the range between 2 to 5 seconds. Let For simplicity we assume braking distance plus train length
denote the time between two successive position reports of   
 
plus position error as 3000m.
Train1. The requirements definition specifies . It 3

The deadline is then given by

is obvious that more frequent position reports will facilitate

 
  


smaller train distances , thus we choose .

  
/ * * *

>

The integrity/position report is sent via GSM-R to the  ; 

RBC and processed there, which takes a maximum of 0.5 and the minimum theoretical distance for
+  
/ * * 

sec. The resulting information is sent to the following is thus
 . This simple consideration already
* * *

Train2, telling him either that everything is fine to go on shows that the common term of “driving in braking dis-
driving (by sending a new movement authority packet) or tance” with ETCS is misleading, because even if everything
that an emergency braking is necessary immediately. would run perfectly trains cannot get closer than 4km.
However, if a communication packet is lost on either Figure 6 shows a Petri net model for the above explained
the communication up-link (Train1 RBC) or down-link

behavior. The upper part models the generation of the po-
(RBC Train2), Train2 needs to decide on its own at what

point of time emergency braking is inevitable out of safety accept newpacket

reasons. There is obviously a deadline after the last

sendingUp process sendingDown arrived restart

movement authority has been received, after which the train drop
needs to be stopped. The worst-case assumption is that af- GenMsg TransmitUp RCB TransmitDown

ter the last integrity check has been completed, a part of waiting

the train’s carriages are lost from the main train and stop
where they are. Another danger for the following train is lossUp ok lossDown Timeout
an accident after sending the position/integrity report. The recover fail
failed
ETCS system requirements specification thus states that “In stopped
moving block operation the movement authority shall never
exceed the min safe rear end of the preceding train” [10]. Resetup

We would like to investigate the deadline and its de-

pendency on the train distance (see Figure 5 for an il-


Figure 6. Model of communication during
lustration). First of all the train length (about 410 m for moving block operation
the German high-speed train “ICE”) needs to be subtracted

0-7695-1926-1/03/$17.00 (C) 2003 IEEE

sition/integrity report and its transmission to the following of the stopping probability depends exactly on that. It is
train via the RCB. Every time a new movement authority well known that rare events as in this case cannot be han-
arrives at the second train, the current deadline (transition dled efficiently by standard simulation algorithms. In the
Timeout) is reset and started again (transition restart). future we plan to apply acceleration techniques such as the
If the deadline is violated, the train stops and we assume a RESTART method [25] to the train example.
Resetup time of 15 minutes before the train can move on. However, the two computed probabilities of stopping are
Movement authority packets arriving during that time are of course unacceptable and show that by assuming the worst
dropped. case of the allowed specification, the communication based
The failure behavior of the communication link is given ETCS level 3 would be impossible to operate. Further in-
by the condensed model as derived in the previous section. vestigations are necessary to study the behavior for different
It is connected to the main model in a way that all messages setups or more restrictive quality of service specifications in
are lost (tokens are removed from places sendingUp and order to achieve a reliable train control system.
sendingDown) as long as the link is failed. This is fa-
cilitated by firing transition lossUp or lossDown, which
6. Conclusion
are enabled only when the communication channel is not in
state ok.
The end-to-end transmission delay for messages is spec- Model based performance evaluation is helpful during
ified in the requirements as being between 0.4 and 0.5 sec- the design of distributed real-time systems. The paper
onds on the average, but being less than 0.5 for 95%, less presents the safety-critical communication inside the future
than 1.2 seconds for 99%, and less than 2.4 seconds in European Train Control System as a case study. Stochas-
99.99% of all cases. For a realistic mapping of this tim- tic Petri nets are used to model and evaluate the failure
ing behavior into the stochastic Petri net model we used and recovery behavior of the communication link as well
two generalized transitions with expolynomial firing de- as its combination with the exchange of vital train informa-
lays, how they are allowed in the class of extended and de- tion between trains and radio block centers. Numerical re-
terministic stochastic Petri nets (eDSPNs [14]). The actual sults are presented which put into perspective quality of ser-
data transmission times (0.13 seconds for a packet) have vice specifications and possible track utilization. The model
to be incorporated as well. The transition firing delay of evaluations show that worst-case communication behavior
TransmitUp and TransmitDown is defined by the fol- leads to unacceptable train operation situations. It will be
lowing function: crucial for the economic success of ETCS to further assess
the real-time behavior of hardware and communication sys-
tem under failures.

for

2 + 3 * + 3 /  * +  /

 

for


 
 

* + * 3 - * +  /  + / /




for
> >



* + * *  + / /  + 3 /

References
*

otherwise

For the performance evaluation of the model the nu- [1] M. Ajmone Marsan, G. Balbo, G. Conte, S. Donatelli, and
G. Franceschinis. Modelling with Generalized Stochastic
meric analysis cannot be used, because the restriction of not
Petri Nets. Series in parallel computing. John Wiley and
more than one enabled non-exponential transition per mark- Sons, 1995.
ing is violated. Switching to an underlying discrete time [2] M. Ajmone Marsan and G. Chiola. On Petri nets with de-
scale [27] does not help either, because then the state space terministic and exponentially distributed firing times. In
becomes so large that it cannot be handled by the available G. Rozenberg, editor, Advances in Petri Nets 1987, volume
computing hardware. This is due to the fact that there are 266 of Lecture Notes in Computer Science, pages 132–145.
small delays and small differences between delays, necessi- Springer Verlag, 1987.
tating a very small underlying time step, leading to a state [3] G. Bucci and E. Vicario. Compositional validation of
space explosion. time-critical systems using communicating time Petri nets.
Thus simulation was the only choice, but has its own IEEE Transactions on Software Engineering, 21(12):969–
problems. For a distance the deadline is 6



3 * *

992, 1995.
[4] A. Chiappini, A. Cimatti, C. Porzia, G. Rotondo, R. Sebas-
seconds. In that case the model evaluation shows that the
tiani, P. Traverso, and A. Villafiorita. Formal specification
train is stopped with a probability of 94%. Even for a dis-
 and development of a safety-critical train management sys-
tance
and a resulting deadline of 12 seconds, the
3 * * *

tem. In SAFECOMP, pages 410–419, 1999.

probability of being stopped is 33%. For higher deadline [5] G. Ciardo, R. German, and C. Lindemann. A characteriza-
values the simulation was not completed because it took tion of the stochastic process underlying a stochastic Petri
too long to finish. The reason is that for a higher dead- net. IEEE Transactions on Software Engineering, 20:506–
line, deadline misses are less frequent and the computation 515, 1994.

0-7695-1926-1/03/$17.00 (C) 2003 IEEE

 [6] G. Ciardo and C. Lindemann. Analysis of deterministic and [18] D. Kendelbacher and F. Stein. Euroradio - communication
stochastic Petri nets. Performance Evaluation, 18(8), 1993. base system for ETCS. Signal und Draht, 94(6):6–11, 2002.
[7] A. Coraiola and M. Antscher. GSM-R network for the high- [19] A. Mazzeo, N. Mazzocca, S. Russo, and V. Vittorini. A
speed line Rome-Naples. Signal und Draht, 92(5):42–45, systematic approach to the Petri net based specification of
2000. concurrent systems. Real-Time Systems, 13:219–236, 1997.
[8] W. Damm and J. Klose. Verification of a radio-based sig- [20] M. Meyer zu Hörste and E. Schnieder. Modelling and sim-
naling system using the STATEMATE verification environ- ulation of train control systems using Petri nets. In J. M.
ment. Formal Methods in System Design, 19(2):121–141, Wing, J. Woodcock, and J. Davies, editors, FM’99 For-
2001. mal Methods. World Congress on Formal Methods in the
[9] EEIG ERTMS User Group. ERTMS/ETCS RAMS Require- Development of Computing Systems. Volume 1709 of Lec-
ments Specification. UIC, Brussels, 1998. ture Notes in Computer Science, page 1867, Springer Verlag
[10] EEIG ERTMS User Group. ERTMS/ETCS System Require- Berlin, 1999.
ments Specification. UIC, Brussels, 1999. [21] MORANE Project Group. Radio Transmission FFFIS for
[11] EEIG ERTMS User Group. Euroradio FFFIS. UIC, Brus- Euroradio. Brussels, 1998.
sels, 2000. [22] T. Murata. Petri nets: Properties, analysis and applications.
[12] EEIG ERTMS User Group. Performance Requirements for Proceedings of the IEEE, 77(4):541–580, 1989.
Interoperability. UIC, Brussels, 2000. [23] J. Osburg. Performance investigation of arbitrary train con-
[13] EIRENE Project Team. EIRENE System Requirements Spec- trol techniques. Signal und Draht, 94(1 2):27–30, 2002.
ification. UIC, Brussels, 1999. [24] R. Schrenk. GSM-R: Quality of service tests at customer
[14] R. German. Performance Analysis of Communication Sys- trial sites. Signal und Draht, 92(9):61–64, 2000.
tems, Modeling with Non-Markovian Stochastic Petri Nets. [25] M. Villen-Altamirano and J. Villen-Altamirano. Enhance-
John Wiley and Sons, 2000. ment of the accelerated simulation method RESTART by
[15] C. Ghezzi, D. Mandrioli, S. Morasca, and M. Pezze. A uni- considering multiple thresholds. In ITC-14, J. Labetoulle
fied high-level Petri net formalism for time-critical systems. and J.W. Roberts (Eds.), pages 797–810, North-Holland,
IEEE Transactions on Software Engineering, 17(2):160– 1994. Elsevier Science Publishers B. V.
172, Feb. 1991. [26] A. Zimmermann, J. Freiheit, R. German, and G. Hom-
[16] M. Göller and L. Lengemann. Measurement and evalua- mel. Petri net modelling and performability evaluation with
tion of the quality of service parameters of the communica- TimeNET 3.0. In 11th Int. Conf. on Modelling Techniques
tion system for ERTMS. Signal und Draht, 94(1 2):19–26, and Tools for Computer Performance Evaluation, pages
2002. 188–202, Schaumburg, Illinois, USA, 2000. LNCS 1786.
[17] L. Jansen, M. Meyer zu Hörste, and H. Schnieder. Technical [27] A. Zimmermann, J. Freiheit, and G. Hommel. Discrete time
issues in modelling the european train control system. In stochastic Petri nets for modeling and evaluation of real-time
Proc. 1st CPN Workshop, DAIMI PB 532, pages 103–115, systems. In Proc. Int. Workshop on Parallel and Distributed
Aarhus University, 1998. Real-Time Systems (WPDRTS01, pages 282–286, San Fran-
cisco, 2001.

0-7695-1926-1/03/$17.00 (C) 2003 IEEE

View publication stats