Modeling and verification of train departure scenario for next generation train control system

As a complex and safety-critical system, any failure in the Next Generation Train Control System (NGTC) departure scenario may cause serious personal injuries and property losses. It is very necessary to study NGTC scenario scheme and effective modeling and verification methods. This paper investigates the key technologies of the NGTC, optimizes the system structure and redistribution functions, and proposes the train control system scheme and typical operating scenarios. Firstly, the structure, equipment function and information interaction of NGTC are analyzed, and the operation scenarios of the system scheme are designed. This paper also uses UML language to describe the train departure scenario, and uses NuSMV modeling to verify accessibility and certainty of the scenario scheme. The results show that, the scheme proposed in this paper provides a reference for the design and implementation of the NGTC.


Introduction
The Ministry of Railways has determined that our country's railway train control system is divided into 5 levels from 0 to 4, namely CTCS 0-CTCS 4. The CTCS-4 is also called the NGTC. It is in the research and verification stage of the scheme. Therefore, the research of the NGTC has important research significance for improving our country's train control system. CTCS-3 has the largest scale of application in our country's railways, but it has complex ground equipment, high operation and maintenance costs. It is difficult to apply to our country's low-density railway lines in the harsh natural environment. The study of the NGTC is beneficial to improve the efficiency of train operation and reduce maintenance costs. Current researches are focused on future development directions, key technologies and overall technical system scheme.
Literature [1] was an innovative analysis of the NGTC, and proposed that the development direction of the train control system is mainly on-board equipment.
Literature [2] stated that the development trend of train control system was to improve performance by simplifying the system structure. Through intelligent management, optimized algorithms and decision support systems are used to ensure the stability of operations.
Literature [3] proposed a new generation of train control system adopts mobile blocking, upgraded train-to-ground wireless communication, and BD satellite-based train positioning technologies.
Literature [4] proposed the configuration scheme for the NGTC, mainly to simplify the configuration of ground equipment. The integration of station and section is the development trend of the NGTC.
The above research is the overall scheme research, and there is no specific scenario scheme research and verification. Starting from the problems existing in the current train control system, this paper studies the key technologies of the NGTC, puts forward the research scheme of the NGTC, designs the departure operation scenario. Modeling and verification methods of NuSMV based on UML are used to verify the accessbility, activity, transitivity, certainty and exclusiveness of the scenario scheme. The research results can provide reference for the design and implementation of the NGTC.

Train autonomous positioning
The NGTC cancels track circuit in the interval, the train does not have to use track circuit and other trackside equipment for positioning. NGTC introduces the BD satellite navigation system, and on-board equipment of train performs autonomous positioning based on the multi-source information fusion method composed of balise, speed measurement, satellite positioning, and electronic maps [5].

Moving block
The CTCS-3 train control system adopts an automatic block with a large tracking interval. The moving block method can shorten the train tracking interval, and the choice of block method is mainly limited by the train positioning accuracy and communication means [6]. The NGTC positioning adopts the BD satellite system and achieves moving block.

Train-to-train communication
Train-ground-train is the communication mode of traditional train control system, which greatly reduces the real-time performance of the system. NGTC adopts the mode of trainto-train communication, and the on-board equipment autonomously performs moving authority (MA) calculation.

System structure
The NGTC scheme is to solve the existing problems of the train control system, simplify the original system structure and optimize the function allocation, cancel the ground equipment likely interval track circuits and axles, reduce the maintenance costs, greatly improve the efficiency of train operation. The train control system is divided into three layers. The ground core equipment layer, on-board equipment layer, trackside equipment layer, system structure diagram is shown in Figure 1.
The ground core equipment includes a dynamic capacity decision system (DCD), resource management system (RMU), operation and maintenance centre. The main functions of DCD are generation of route command and train planning. The main functions of the RMU are route control, line resource management, train management. The function of on-board equipment is to realize train communication, generate MA, speed protection and electronic map check. The trackside equipment layer are mainly the switches, balises and object controller (OC), which is responsible for sending the collected trackside equipment status to RMU and controlling the trackside equipment according to the route control commands received from the RMU.

Description and analysis of the train departure scenario
Compared with the existing train control system, the NGTC proposed in this paper optimizes the distribution of route control and moving authority functions. The route control function was originally controlled by the computer interlock system, and now it is controlled by the RMU. The moving authority function was originally controlled by ground equipment, and is now autonomously calculated by the on-board system. In order to verify the feasibility of the scheme, this paper designs the scenario of train departure route. The information interaction between the devices is as follows: • After a train establishes communication with RMU, it sends train registration information, IP information and location information to RMU.
• After the RMU records the train's ID, IP number and location, it sends a registration success message to the train, and sends the electronic map and location information of all trains within its jurisdiction.
• RMU forwards the train information to DCD, and DCD sends the train operation plan to RMU. RMU forwards train plan to train.
• At time T before departure, the train sends a route request to RMU, and RMU forwards the departure request to DCD, which sends route control commands to RMU.
• RMU checks the legitimacy of the route command and sends the switch control command to the OC.
• OC controls he switch and sends the status of the switch to RMU.
• RMU lockes the route and controls the virtual signal to open, allowing the train to depart.
• The train runs in OS mode.

UML and NuSMV model
UML is a semi-formal modeling language, and NuSMV is a symbolic model verification tool that can effectively verify the finite state transition system [7]. The input of the tool is the symbolic system to be verified and properties to be verified. The runtime traverses the system state according to the state transition relationship defined by the system, parses the attributes to be verified one by one, and verifies the satisfaction of the scenarios scheme to the scenarios requirements. To reduce the complexity of NuSMV modeling, this paper uses the NuSMV modeling and verification method based on UML. Modeling and verification method of NuSMV based UML is divided into the four steps. Firstly establishing UML model of verification object. The UML model is transformed into NuSMV model. Extract attributes to be verified. Verify the NuSMV model and analyze the results [8].

UML model of departure scenario
Class model, interaction model and state model are effective tools for constructing system model [9]. In this paper, class diagram, sequence diagram and state diagram in UML view are selected as the main views of scenarios modeling in the class model, interaction model and state model. Due to the limited space, only the time sequence diagram and state diagram are listed here. Train departure scenario involves multiple vehicle-ground information interaction, sequence diagram describes the information transmission between on-board equipment and ground equipment, as shown in Figure 2. The state diagram is the control structure analysis of the system object. The state diagram represents the state change of each object in the system under different conditions, and each state transition of the object is recorded, as shown in Figure 3.

UML-NuSMV model transformation
The NuSMV tool consists of multiple modules, which are divided into main modules and sub-modules, both of which include declaration (VAR), definition (DEFINE), and assignment (ASSIGN). The transformation rules from the UML model to the NuSMV model are as follows: • Each class of UML model corresponds to a NuSMV model sub-module.
• The sequence diagram of the UML model is transformed into system attributes to be verified, and input into NuSMV model as SPEC field.
• UML state definition is to define a state variable in NuSMV sub-module, the value corresponds to all possible states of UML class, declared in the VAR field.
• Describe UML state transition relationship in ASSIGN.
• UML state transition conditions: each complex condition in state transition corresponds to a boolean state transition variable, which is defined in DEFINE.

NuSMV model of departure scenario
Define the main module and four sub-modules in the NuSMV model. Four sub-modules correspond to train class, DCD class, RMU class, OC class in UML. According to the transformation rules from the UML model to the NuSMV model, the UML state diagram model elements are added to the corresponding NuSMV sub-modules. The train module framework of the NuSMV model is shown in the Figure 4, and other modules are the same.

Analysis of verification results
The verification statement in the NuSMV model is the computation tree logic (CTL), which can describe the state transition path of the finite state transition system from multiple perspectives [10]. According to the characteristics of CTL statements and the verification objectives of this paper, five main attributes are defined to meet the scenario requirements, namely accessibility, activity, transtivity, certainty and exclusiveness. Among them, accessibility and activity guarantee function can be realized. Transtivity and certainty verify whether the scenario process is carried out according to the design, and whether the interaction behavior in the scenario meets the specification. Exclusiveness mainly verifies the security requirements of scenario implementation, such as ensuring that the system states do not conflict with each other.
When validated, the system verifies whether the NuSMV model conforms to the syntax rules and satisfies the system attributes. When verifying syntax rules, it can be modified one by one according to the system error report. When verifying the system attributes, the causes of errors are located according to counterexamples. After repeated modification and verification, the final verification of all attributes is passed, which verifies that the improved scenario scheme is to meet the needs. Since there are many verification attributes, they are not listed by one by,and the main attributes and verification results are shown in Figure 5.

Conclusion
In this article, we investigated research status and existing problems of current train control systems at home and abroad. Analyzing the key technologies of NGTC, this paper proposed a research scheme and designed normal train operation scenarios for NGTC. In particular, the scenario UML model is established to abstract NGTC scenarios scheme from the three dimensions of class diagram, interaction and state. According to the transformation rules from UML to NuSMV model, the article constructed the NuSMV model of proposed NGTC department scenarios. In the verification, modeling results have confirmed that the presented scenario plan has high accessibility and certainty. Furthermore, this paper provides a reference scheme for the research and verification of NGTC.
In the future works, NGTC will be modeled and verified in more train control system operation scenarios. Besides, we will try other modeling methods to enhance the authenticity and credibility of scenarios models. Comparing multiple scenarios and different modeling methods, we will continually optimize the proposed method to improve accessibility and certainty.