¥Ip�c´��XÚ�/ªz©Û��y

Hû�1 ½UÀ2, /72,�Ô(1,ÉD�1∗,±�U2,q�1

¥I�Æ�^�ïĤO�Å�ÆI[­:¢�¿, �®, 100190 1

�®�Ï�Æ, �®, 100044 2

*Ï&�öE-mail: znj@ios.ac.cn

Á� p�c´��XÚ�S��Ä���9<¬�)·ã�S�,ép�c´�

�XÚ?1î��/ªz�yäk­�¿Â"�´�Xp�c´��XÚ^�±9M

�5��ØäO�§XÚ�E,5ké��Jp§��ép�c´��XÚ?1/ª

z�y®²C��5�(J",��¡§duã/zï��ýLy�ª�*§ un)§

3ó§¢�¥®²��2��A^"Ïd§��Ð��yc´XÚ�S�§éX

Ú?1�[�ýüØÜ©S�Û�w�c�­�"�©ÏL¦^Simulink/Stateflowï

�óäép�c´��XÚ�1�N�!�?,?9Ü©�ª=�|µ?1ï�"

T�.äkÊ·5§ÏL?Uëê&E§�±éØÓ��?=�±9�ª=��|Ü

�¹?1�[�ý"ÏL¦^T�.·�é10�|Ü�¹?1�[�ý§��uy

3,�¹e�U¬ÑyØ�~Ê�½ö�?=��}�y�"aquÿÁ§�ý=

=Uuy�اØUy²XÚvk�Ø"Ï��ý�ù«Ø��5§é�ý9Ï/

ª�y3S�M'XÚ�O¥´�~7��"�d§·��Ù¥��Ø�~Ê��|

µ?1/ª�y§�y(Jy²3?Û�¹e�[(J��(5"

'�c

¥Ip�c´��XÚ

Simulink/Stateflow

�[�ý

�ª=�

�?=�

/ªz�y

1 Úó

p�c´äk!U!��!�$þ!S�Ó·�²w`³§ �Ï$ÑNX¥�ä�±Y5Ú�¸lÐ

5�$Ñ�ª§�$p�z®¤�­.�6"·Ip�c´ï���.ÄSI�“»�Þ”§­:uÐp�c

´§ò櫓�®�¥%!2���¥¢½��Ì!:!8��¯�c´�Ï�ÌZ�p�c´�$�ä"�

±ý�§±p�c´�Ø%�¯�c´�Ï��蠟ò¦·I²L�¬uÐÚ\p�c´��"p�c´

´�E,�XÚó§§8¤õÆ�!õ+��p#Eâ"Ù¥¥Ip�c´��XÚ´�y��p�!

p�!S�$1�j¢Ä:§¤±(�p�c´��XÚ�S�5k�~­��¿Â"

·¤XÚ´�aQ�¹ëYÔn�¸Czq�¹lÑ��1��XÚ"p�c´��XÚ´��;.�

·¤XÚ"dup�c´��XÚ´©ÙªXÚ§¥��XÚI�ÏL�§ÏÕé��?1��§äkS

N�,§/n©Ù2�§ÏÕ1�E,�A:§Ïd�OS��p�c´��XÚ'�(J"

·¤XÚ�OL§���²{ØÓ��ã§l é�O?1S�§±ÅÚ�¤��XÚ"XJ3�O�

ãæ^ã/z��ª£ã§±��Ø�ß�©�Lã§ò¬~�ÏØ)�5��اÓ�éùã/z�.

?1�[�ý§�±uyÜ©Ûõ�¯K§ ���±�B=z�/ªz��.?1�y§±B3ÐÏüØ

��Oþ�"�Ú¯K§ò¬kÏ~�^��Ï�ó�þ§~�^�í�­���U5"¤±3ÐϦ^

ã/z��.éXÚ?1£ã¬kéõ`³"Ïd3�OÐÏéE,�p�c´��XÚ?1ã/zï�

1

ék7�"

Simulink/Stateflow´Matlab¥��­��û�|�§PkMatlab�r�O�Uå|±§3ó�.¦^2

�§Pk�þ�^rÄ:"§´�«ã/z�ï�óä§é�.�£ã'��*§¿�|±�[�ý§�±

u��.´Ä�ýO1��Χ±BüØÜ©@Ï��O�Ø"Ó�§§��±òïá��.=z�éA

�C�ó§kÏü$mu¤�"

Äuþãnd§·��â8c¥Ip�c´��XÚ�5�§ép�c´��XÚ�1�N�!�?,

?9Ü©�ª=�|µïáSimlink/Stateflow�., ¿�¦^T�.é�?�n?��ª=z�(Ü�Ü

©�¹?1�[�ý§uy3Ü©�¹e¬ÑyØ�~Ê�±9�?=��}�y�"

,��¡§Ï��[�ý==U�â�¸�k¡Ñ\3k��mS*XÚ1�´Ä÷v�¦§

�¸�Ñ\Ï~káõ«§¿�ùXÚ�$1�Uvk�m��§¤±aquÿÁ§�[�ý==U

uyXÚ�اØUy²XÚvk�Ø"AOéuS�M'XÚ§==�ýÃ{�yXÚ��(5"

éSimulink/Stateflowã/�./ª�y�cJ´I�Jø��/ª�±9�éT/ª�Â��yEâ"

3[20, 19]¥§·��ÄXÛòSimulink/Stateflowã/�.=�¤HCSP[12, 17]/ª�.§¿¦^HHL[14]9

Ù½ny²ì[18]5/ª�y=z��/ª�."�©��§·�±Ù¥,�|µ�~§ ²XÛ¦^þã

�{òÙ=��/ª�.¿î��y§�y(JL²3?ÛÑ\eþ��[(J��"

1.1 �'ó�

�|±·¤XÚï�§éõï��ó�JÑ5§'X`§Modelica§Hybrid UML§�mgÄŧ·¤

gÄŧEsterel��"

Modelica[11]�SimulinkÓ´ã/z�ï��ó"§´�«m �ó§|±^rg½Â?U"§Ó�|±

ã/Ú�èï�§L�Uåér"�´§vkaquStateflowù����6ãï�ó䧤±é��Ü6ï

�|±'��f"�,Modelica¦^�{Ú¼êé��Ü6?1ï�§�´duù«ï��ª´Äu©�

�§LyØ�*§Ø|uép��.?1ï�"

Hybrid UML[8]´�«é·¤XÚ?1ã/z�ï���󧧴ÄuDÚUML�·¤*Ð"UML3ó

�.k2��¦^§ rÄ:�Ð"�´ù«ï��óØU?1�[�ý§�ØU?1�y§¦^þké�

���"

�mgÄÅ[7]´gÄÅ3¢��¡�ÿЧÚ\�¨Cþ�Vg§l �±é��S�¡�5�?

1�[�y"¿�Pk¤Ù�û�óäUPPAALéÙ?1�ý±9�y"�´§du�mgÄÅØU?nE

,ëYCz§ØUé·¤XÚ?1ï��ý"

·¤gÄÅ[13]´gÄÅ3·¤XÚ�¡�ÿЧÄu��8O���«�yó�3Æâ.ïÄ�\§A

^2�"ÄugÄÅ�ï�Eâ�*! un)§�´§vkXÚ(��¡�&E§|Ü5�§Ø·Ü�.

XÚ�ï�"AO´§vkã/zóä|±§ØU?1�[�ý"

Esterel[10]´�«Äu�mÓÚ�.�ï��ó"�~��ÓÚÉÚÏÕ�ªØÓ§�Esterel¥&Ò�u

x��§T�m:þÙ¦¿u?§Ñ�±òT&Ò�Â?¿k�g"EsterelPk¤Ù�û�óäScade[9]é

Ù?1|±§Tóä)¤��è�·^u¢SXÚ§~��Ïmu�ó�þ"

IS�kéõ�ïó�ö}Áé¥Ip�c´��XÚ?1ï��y§~X§3[1]¥§�ö(ÜUML3

�.�2�A^9SMV�.u�óä�`:§JÑ�@��XÚ5��ï���y�{"[2]Äk�é;

��Ï��XÚ�A:§ïÄS�XÚ�OnØÚ�{§JѦ^gÄÅ�.Ú�A��.u��{é

��XÚ5�?1/ªzïÄ" 3[4]¥§�ö¦^Petri�ép�c´��XÚ&��.ÚêâDÑ��

mA5?1ï�Ú©Û,�CTCS-3?��XÚ5�¥��'ëê�OJøcJÚÄ:"

2

2 �µ�£

3ù�!¥§·�ò0�p�c´��XÚ!Simulink/StateflowÚHCSP±9HHL���µ�£§Ï

�·�'%�?=�Ú�ª=��(Ü�|µ§¤±·�¦^1��!Ú1��!©O0�p�c´��

XÚ�?Ú��3ØÓ�?e�ØÓ�ª§1n�!´�éï�óäSimulink/Stateflow�0�§1o�!

0�HCSPÚHHL"

2.1 p�c´��XÚ�?Vã

¥I����XÚCTCS£China train control system¤§�âoN�K§lI�! �¢SÑu§�y©

�5?[3]§Ù¥·�'%ü�?Oµ

1. CTCS-2£C2¤?

Äu;�DÑ&E���$1��XÚ§¡�J�Z�Úp�#�§æ^�!/�Nz�O"·^

u�«��«ã§/¡�Ø�ÏL&ÒŧÅ�³�1&Ò1�"/¡fXÚ¥O\��¥%§�â�

�Ó^�¹9?´G�§O�1�N�9·����Ý­�¿Dx���":ª&E��^u��1

��Dѽ &E!?´ëê!�´ëê!��ÚÊ�&E�"

2. CTCS-3£C3¤?

ÄuÃ�DÑ&E!æ^;�>´��ªu���Ó^���$1��XÚ"¡�J�Z�!p�

#�½AÏ�´§ÄuÃ�Ï&��½4l½J[gÄ4l"CTCS-33CTCS-2�Ä:þkéõU

?"Ì�Ny3��¥%§Ú&E�p�ª�UCþ"

2.2 CTCS-2?ÚCTCS-3?e�ªVã

1. C2e�ª0�µ

��i��ª£FS¤µ3��i��ªe§���1��AU�ä�� �ÚÊ� �§3�y��

�Ý÷v�´�½��!�ý�E�Ý!Ê� �!�����^��cJe§)¤8I-ål�ª­

�§¿ëYi����ݧ��ª�Ý'�§gÄÑÑ;:�Ľ~^�Ä·-§Ó�§AUÏLDMIw

«��¢S�Ý!#N�Ý!8I�ÝÚ8Iål�&E"

8À1��ª£OS¤µ3�ª¥§���1��)¤NBP£normal brake profile¤1�20km/h��ª

­�"

Ü©i��ª£PS¤µduA�ì&E�ÂÉ~���´êâ"�§½öduÙ§�Ï���1�

�Ã�´ê⧱9ý���Ú3�Õ�nÚ����§���1���ó��ªÑ½Â�Ü©i�

�ª"

2. C3e�ª0�µ

��i��ª£FS¤µ��1��ä�����¤I��ÜÄ�êâ£�)��êâ!1�N�Ú�

´êâ�¤�§�1��)¤8IålëY�Ý���ª­�§¿ÏLDMIw«��$1�Ý!#N�

Ý!8I�ÝÚ8Iål�&E§i���S�$1"

8À1��ª£OS¤µ�1��w«Ê�&Ò½ �Ø(½�§3Ê�G�eiÅUØ;^UÜ�

¦�1��=\8À1��ª"8À1��ªe§�1��U�½���Ý40km/hi���$1§�

�z$1�½åliÅI(@�g"

1~^�Ä0\­�

3

Out11

AddIn22

In11

ã1. Sumulink«~

A 1state11

state111

state112

state12state121

state122

B 2state31

state321 2 3 1 2

ã2. Stateflow«~

v_out2

s_out1

v

1s

s

1s

c20c-0.9

a

MinMax

maxa_in

1

ã3. ÄåXÚ

Ú��ª£CO¤µ�m�Ú�&Ò?1�u��§�1��)¤8IålëY�Ý���ª­�§¿

ÏLDMIw«��$1�Ý!#N�Ý!8I�ÝÚ8Iål�§�1��U�½���Ý40km/hi

���$1§iÅKI3��$1�u�;�Ó^�¹"

k?�ª£TR¤µ���1k?�o�§�1��?\k?�ª"ù��ªe��¬;:�ħ�

����"

2.3 Simulink/Stateflow�Vg

2.3.1 Simulink0�

Simulink[5]´MATLAB�­��|���§§Jø��ã/z�Ä�XÚï�!�ýÚnÜ©Û�8¤�

¸"3T�¸¥§ÃI�þÖ�§S§ �I�ÏL{ü�*�àIö�§Ò��EÑE,�XÚ"Simulink´

^uÄ�XÚÚi\ªXÚ�õ+��ýÚÄu�.��Oóä§Pk´L��*¿ý½Â�¬¥"é�

«¢�XÚ§�)ÏÕ!��!&Ò?n!Àª?nÚã�?nXÚ§SimulinkJø�pªã/z�¸Ú

�½��¬¥5éÙ?1�O!�ý!�1ÚÿÁ"

Simulink�.´d�X���¬Úë�ù�¬�>|¤�"z��¬�±´��Simulink�¬¥¥�

Ä��¬§L�Ñ\ÑÑ�m���êÆ'X§��±´deZ�¬|¤�fXÚ"ë�>�Aü��

ë��¬�m�'X"

Simulink�.Ï~dnÜ©|¤µÑ\&Ò (Source)!XÚ(System)±9�Â�¬(Sink)"

1. Ñ\&Ò �¬¥(Source)

Ñ\&Ò �¬¥^5��.JøÑ\&Ò§vkÑ\�§�´��k��ÑÑ�"Ì�kµConstant!

Step!Ramp!Sine Wave!Signal Generator!From File!From Workspace!Clock!In"

2. XÚ�¬¥(System)

XÚ�¬Ì��)ëY�¬!lÑ�¬!êÆ�¬!Ü6�¬!&Ò?n�¬!XÚ�¬"ëY�¬

Ì�kµIntegrator!Derivative!State-Space!Transfer Fcn!Zero-Pole!Transport Delay"lÑ�¬Ì

�kµDiscrete-time Integrator!Discrete Filter!Discrete State-Space!Discrete Transfer-Fcn!Discrete

!Zero-Pole!First-Order Hold !Zero-Order Hold!Unit Delay"êÆ�¬Ì�kµSum!Product!Dot

Product!Gain!Math Function!MinMax!Abs!Sign"Ü6�¬Ì�kµCompare To Zero !Compare to

Constant!Inteval Test!Relational Operator!Logical Operator!Bit Set!Bitwise Operator!Bit Clear"&

Ò?n�¬Ì�kµIC!Bus Creator!Bus Selector!Mux!Demux!Switch!Multiport Switch!Manual

Switch!Selector"XÚ�¬Ì�kµSubSystem!Triggered Subsystem!Enabled Subsystem!Function-Call

Subsystem!If Action Subsystem"

4

3. �Â�¬¥(Sink)

�Â�¬´^5�Â�¬&Ò�§vkÑÑ�§�´��k��Ñ\�"Ì�kµScope!Display!XY

Graph!To File!To Workspace!Stop Simulation!Out"

Simulink�¬lÙ1��ªþ©�±©�ëY�¬ÚlÑ�¬ü«"Simulink�.¥�z��¬Ñk�

����m§§�����´-1½ö�K2:ê"XJù��¬����m´-1§L«Ù���mdÙ5

�¬����mO� 5¶XJù��¬����m´0§L«ù��¬´ëY�¬§ÙO�1�äkëY

5¶XJ´����x§L«T�¬�lÑ�¬§Ùz�x�m�Ý­#O��g"

�õêSimulink�¬Ñ�¹��ëê§ r�±ÏL?Uùëê5¼�ý��õU"'X`~ê�¬

�±��ÑÑ~ê�§È©�¬�±��Щ�§Switch�¬�±��ö�ÎÒa.ÚK�"

ã1£ã��Simulink�.§Ù¥�Add�¬lIn1§In2�Âü�Ñ\§ÏL\{$��)(J§¿Ï

LOut1ÑÑ"T�.¥In1!In2§Out1ÚAdd©OéAuÑ\&Ò §ÑÑ&Ò �XÚ"

2.3.2 Stateflow0�

Stateflow[6]´Simulinkp¡���óä�, §´��ÄuG�ÅÚ6§ã5�ï|ÜÚ�SÜ6ûü�

.¿?1�ý��¸"Stateflow�±òã/L«ÚL�L«£�)G�=�ã!6§ã!G�=�LÚý�

L¤(Ü3�å§�éXÚé¯�!Äu�m�^�±9ÜÑ\&Ò��A�ª?1ï�" r�±3¦

^Simulink�ý�§¦^ù«ã/z�óä¢y��G��m�=�§éE,�i�Ü6?1ï�"

Stateflow�.Ì�d¯�Cþ8ܧG�§(:ÚG�[£|¤µ

1. ¯�Cþ8Ü

´P¹Stateflow�.¥¦^�2¯�ÚCþ�8Ü"2¯�ÚCþþ©�Ñ\ÑÑÚÛÜn

«§©OL«lÜ�¸Ñ\�2¯�½Cþ§�ÜÑÑ�2¯�½CþÚSܦ^�2¯

�½Cþ"

2. G�

G��LXÚy3?3��¹"3Stateflow e§G�kü«1�µ¹Ä�£active¤Ú�¹Ä�

£inactive¤"�±é��G�?1IP§�)�ù�G�5½G�¶±9ù�G�3?\!òÑÚ?u

-¹G�e�Â���¯�¤A�1�Ä�"��L«Xeµ

name

entry : entry actions

during : during actions

exit : exit actions

bind : data and events

onevent name : on event name actions

\�Ä�(entry: entry actions)´L«u)G�[£§-¹TG��I��1�Ä�"¥mÄ

�(during: during actions)L«�?u-¹�G�É���¯��>u§Ø�3lù�G�uÑ�G

�[£�§dG�E?u-¹G�I��1�Ä�"Ñ�Ä�(exit: exit actions)L«�3ddG�uÑ

�k�G�[£�§TG�òÑ��1�Ä�êâ¯��½Ä�£bind: data and events¤òêâÚ¯�

�½3dG�þ"�½�êâ�U3dG�½ÙfG�S�U�§Ù¦G��UÖ�dêâ"�½�¯

�ddG�½ÙfG�2Â"A½¯�u)Ä�(on event name: on event name actions)"event name5

5

½��A½�¯�¶on event name actionsL«�TG�´-¹G��event name5½�¯�u)�I

��1��"

3. (:

(:^u£ãG�[£L§¥�[£&Ò�©lÚ®Ü"ÏL¦^(:§G�ÚG��m�[£Ø

==´>�{üë�§ ´��E,�[£�ä"

4. G�[£

G�[£��2 ^uë�ü�G�½ö(:§§�±�IP§TIP���/ª�Xeo�|µ

EventTrigger[Condition]ConditionAction/TransitionAction

>u¯�£Evnet trigger¤ ¯�8Ü¥�����§��[£^���Ü©" �'Xª£Condition¤

´��Ù�L�ª§�>u¯��Ó|¤G�[£�[£^�">u¯�£Evnet trigger¤��½ö�

�c2¯���§Ó�^�'Xª£Condition¤�ý§KTG�[£�>u"^�Ä�£Condition

Action¤Ú[£Ä�£Transition Action¤ ¦^Matlab�action languageÖ���è¡ã" �Ä�3

[£�>u��á=�1§ [£Ä�=�[£ª:�G���á=�1§ÄK�M�3��è�¥§

eT[£�ª����G�§è�¥�[£Ä�ò�^S�1"

Stateflow�.äk�gz�A5§?¿StateflowG�þ�i\��Stateflowf�.5´LTG��1�"

Ó��g¥§¤k�G�´p½(OR)½ö¿1(AND)�§p½G��m�±¦^[£?1ë�§ ¿1G�

�mØU¦^[£ë�"

StateflowÏÕæ^2ÂÅ�§���¯��2Â�§¿1G�UìÙýk½Â�^Sk��Â�T2Â

¯�§p½G�=k-¹G�Â�T2¯�"�G��Â���2¯���§?1Xeö�µUìýk

½Â�^S§éG��¤kÜÑ�[£?1u�§XJT[£�äU¤õ��,�G�K�1éA�[

£Ä�§¿�¤TÓ¯�2¶ÄK§Uìý½�^SéSÜÑ�[£?1u�§XJT[£�äU¤õ�

�,�G�K�1éA�[£Ä�§¿�¤TÓ¯�2¶XJþãü�þؤõ§K�1¥mÄ�",

�r2¯�éÙ�¹�fã?12Â"�G�[£¤õ�§I�é� G�Ú8�G��m��Ó´»§

lS�§�1 G�Ñ�Ä���Ó´»§,�l�S§�18IG��\�Ä�" ã2£ã�

�Stateflow��.§Tã¥kü�¿1�G�A�B§Ó�?u-¹G�"G�AÚG�B¥©O�¹8�Ú

ü�p½G�§§��g(�Xã2¤«"ã2¥�[£>�¹n«AÏ�¹µ±¢%ç:mÞ�[£>�%

@[£>§L²T�Þ¤�G��%@-¹G�¶G�S11�S2�[£��m[£¶G�S21�S22�[£�

[£�ä§T[£�ä�¹��(:"

2.4 ·¤CSP{0

2.4.1 ·¤CSP

HCSP£Hybrid Communicating Sequential Process¤[12, 17]3CSP£Communicating Sequential Process¤

�Ä:þÚ\�©�§±£ã3·¤XÚ¥�ëYÄ�1�§¿Ó�Ú\�«¥äÅ�£^�¥äÚÏ

Õ¥ä¤5¥ä��ëY��©1�§? ¦ëY�©1�ÚlÑ��1���$1"HCSPUÓ��xX

Ú�ëY1�Ú��Ü6§¿äkCSPp�|Ü5�A5§ �«éÐ�^5£ã�.��XÚ�/ªzï

��ó"

2%@[£´�«AÏ�[£§§=k��8IG�§L«TG��%@-¹G�"

6

-

6

s1 s2 s3

v1v2

s

v

0

ã4. MA«~

CTCS-2级区域 CTCS-3级区域

x1 x2

RE LTA LTO

共管区域

TCC RBC

RT

MA1 MA2 MA3 MA4C2级MA

MA1 MA2 MA3 MA4C3级MA

ã5. �?=�|µ

HCSP��{Xe¤«µ

P ::= skip | x := e | ch?x | ch!e | P ;Q | B → P | P tQ | P ∗

| 〈F(s, s) = 0&B〉 | 〈F(s, s) = 0&B〉� 8i∈I(ioi → Qi)

S ::= P | S‖S

þª¥P,Q,Qi, Sþ�HCSP?§§xÚs�?§Cþ§ch�Ï�¶§ioi�Ï&¯�£Ñ\¯�ch?x½Ñѯ

�ch!e¤§BÚe�Ù�L�ªÚ�âL�ª"±þ�{(���/ªz�ÂL«XeµskipØ�1?Ûö�§

á=ª�¶x := e òL�ªe��D�x¶ch?xlÏ�ch¥�����§¿òÙD�x¶ch!eòe��ux�Ï

�ch¶P ;Qk�1?§P§�?§Pª���1?§Q¶B → P3B�ý��1P§ÄKá�ª�¶P tQdXÚ�ÅÀJ´�1?§P�´Q¶P ∗L«k�g­E�1?§P¶〈F(s, s) = 0&B〉�L�©Ä�L§§T�©L§�'�Cþ��7L¦�Ù�L�ªB©ª�ý�§ÄKT�éá=ª�¶〈F(s, s) = 0&B〉�8i∈I(ioi → Qi)

�〈F(s, s) = 0&B〉 �1L§Ä���§�´�Ï&¯�ioiu)�¬á��1éA?§Qi§ÄK§¬���

1��©L§ª���¶S1‖S2¥S1ÚS2�¿u?§§3ØI�ÏÕ�¦��gÕá$1§�I�ÏÕ�Ï

ÕV�I�ÓÚ�1TÏÕL§§¿u?§�mØU�3��Cþ½´��Ñ\½öÑÑÏ�"

2.4.2 ·¤HoareÜ6

3[14]¥§·�ÏL3²;�HoareÜ6¥Ú\{¤úª�ïHCSP�y²XÚ"��§[18]òTÜ6

3Isabelle/HOL¥¢y§¿|^Tóä�y¥Ic´��XÚ¥���¢SY~"{¤úªd���ã

��úª[16, 15]L�§^u£ãXÚ3�1�m«ãS÷v�5�"3·¤HoareÜ6£HHL¤¥§^S?

§P�5�£ãdn�|{pre}P{post;HF}5L�§Ù¥pre!post!ÚHF©OL«c�^�!��^�!Ú

{¤úª"c�^�Ú��^�d��Ü6úªL�§{¤úªd�ã��úªL�"éu¿u?§Ù5�

£ãXeL«"

{pre1, . . . , pren}P1 ‖ · · · ‖ Pn{post1, . . . , postn;HF1, . . . ,HFn}

Ù¥prei!postiÚHFi©OL«1i�?§�c�^�!��^�Ú{¤úª"

3 |µ£ã9Ùï�L§

·�òp�c´��XÚÄ��Ì�d��XÚ§���iÅ|¤"��XÚ©�õ��?§·���

Ä��3C2?ÚC3?e¡�1�§¤±��9C2?��XÚ�C3?��XÚ§©O´TCC (Train Control

Center )§RBC (Radio Block Center)§ÙÌ��^´�â�1fXÚ§/¡fXÚ�Jø���G�§;�

7

Train 4l1 l2

l3l4

MATLAB Function stop

TCC 2RBC 1 Driver 3

MATLAB Function out

MATLAB Function vdisp

MATLAB Function add_v2

MATLAB Function disma2

MATLAB Function changeMA2

MATLAB Function fun_ma2_move

MATLAB Function fun_ma3_move

MATLAB Function dicma3

MATLAB Function add_v3

MATLAB Function disma3 MATLAB Function

changeMA3

ch_lu_conf

[loc>x1]{level=4}

[loc>x2&&TTFAIL==0]{level=3,ldisp=3;}

1

[loc>x2&&TTFAIL==1]{level=2;ldisp=2;}

2

{vdisp();}

ch_ma2_conf{changeMA2()}1[loc>=s21]{fun_ma2_move();ch_ma2_app}

2

{out()}

3

ch_os_conf[CON_LOST==false]{disma2();acce=CON_A}1

ch_os_conf[CON_LOST==true]{disma2();disma3();acce=CON_A}

2

[speed<=0.1125 &&loc>s21-0.22&&(mode32==4)&&cos==1]{cos=0;ch_os_app;}

3

[fv>=vx1]{acce=CON_b}

4

[fv>=vx2]{acce=CON_a_sbi}

5

{acce=CON_A}

6

2

[loc>=1000]/ch_lu_app1

{vdisp();}

ch_ma2_conf{changeMA2()}1[loc>=s21]{fun_ma2_move();ch_ma2_app}

2{out()}

3

ch_os_conf[CON_LOST==false]{disma2();acce=CON_A}1

ch_os_conf[CON_LOST==true]{disma2();disma3();acce=CON_A}

2

[ speed<=0.1125 &&loc>s21-0.22&&(mode22==4)&&cos==1]{cos=0;ch_os_app;}

3

[fv>=vx1]{acce=CON_b}

4

[fv>=vx2]{acce=CON_a_sbi}

5

{acce=CON_A}

6

{vdisp()}

ch_ma3_conf{changeMA3();}1ch_ma2_conf{changeMA2();}2

{out();}

5[loc>=s31]{fun_ma3_move();ch_ma3_app}

3

[loc>=s21]{fun_ma2_move();ch_ma2_app}

4

ch_os_conf[CON_LOST==false]{disma2();acce=CON_A}1

ch_os_conf[CON_LOST==true]{disma2();disma3();acce=CON_A}

2

[ speed<=0.1125 &&loc>s31-0.22&&(mode31==4)&& (mode32==3)&&coa==1]{TTFAIL=1;disma3();disma2();acce=CON_A;coa=0}

3

[ speed<=0.1125 &&loc>s31-0.22&&(mode32==4)&&cos==1]{cos=0;ch_os_app;}

4

[fv>=vx1]{acce=CON_b}

5

[fv>=vx2]{acce=CON_a_sbi}

6

{acce=CON_A}

7

{vdisp()}

ch_ma3_conf{changeMA3();}1ch_ma2_conf{changeMA2()}2[loc>=s31&&level==3]{fun_ma3_move();ch_ma3_app}

3

{out()}

5

[loc>=s21&&level==2]{fun_ma2_move();ch_ma2_app}

4

[mode31==5&&v31!=0]{stop();}

1ch_os_conf[level==3]{disma3();acce=CON_A}

2ch_os_conf[level==2]{disma2();acce=CON_A}

3

ch_co_conf{dicma3();acce=CON_A}

4

[level==3&&(speed<=0.1125 &&loc>s31-0.22&& mode32==3)&&coa==1]{coa=0;ch_co_app}

5

[level==2&&(speed<=0.1125 &&loc>s21-0.22 && mode22==4 )&&cos==1]{cos=0;ch_os_app}

6

[level==3&&(speed<=0.1125 &&loc>s31-0.22 && mode32==4 )&&cos==1]{cos=0;ch_os_app}

7

[fv>=vx1]{acce=CON_b}

8

[fv>=vx2]{acce=CON_a_sbi}

9

{acce=CON_A}

10

ch_ma2_app /sn2=loc+8000 ;add_v2 ( ) ;ch_ma2_conf

ch_ma3_app/sn3=loc+8000 ;add_v3 () ;ch_ma3_conf

1

ch_lu_app /x1=2000;x2=5000;ch_lu_conf2

ch_os_app/ch_os_conf1

ch_co_app/ch_co_conf2

ã6. ��XÚ

8

Ó^§����·-§ë£?´G�§/³�o�&E�)Ù����S�����1�N����&E§

¿�DÑ��1��±�����$1"��$1�L§¥§iÅ�i����$1§I�²~éØÓ��

¹�Ñ�A"

ã6´L«����XÚ�Stateflow�.§Ù¥C2?��ì§C3?��ì§��ÚiÅo�Ü©©Od

dTCC§RBC§TrainÚDrivero�G�L«§ùo�Ü©I�¿1�1§¤±ùo�G��m�'X�¿1"

��3$1L§¥I���ÄåXÚ5O��ݧduÄåXÚ´ëY�§Ïd·�3Stateflow¦^��

fXÚ5L«§Xã3¤«§ù�fXÚ�Ñ\´\�ݧÑÑ´�ÝÚål§¦^ü�È©�¬§©O�

L\�Ý�È©��ݧ�Ý�È©�ål"

$E|µ´é$E¥XÚó��ª�{�£ã§3ù��.¥§·��Än�$E|µµMA|µ§�

�ì¬é���$1L§?1i�§¿�ÏLMAÇ������1�¶�?=�|µ§��3$1¥�±

lC2?=��C3?§ã5´�?,?|µ���«¿ã¶�ª=�|µ§��3ØÓ��ªe¡�¬kØÓ

�1��ª§ØÓ�?e¡ØÓ��ª�m�=�kØÓ�1��ª"e¡·�¬�[0�ù�n�|µ"

Ï�l©�¥íÿ�?=�Ú�ª=��(Ü�U¬�)¯K§Ïd·�ò�[�?=�Ú�ª=��(

Ü�|µ§Ù¥�?=�:Ú�ª=�:´Ó�:"

3.1 1�N�

1�N�MA (Movement Authority)´��S�$1�1�³y"MAª:´����Ç�$1�� 

�"��1�N��)õ�ëY�«ã§z�«ãd��Ê�|L«§äNXeµ

MA«ã={�?§�ª,8Iål,;:�Ä0\�Ý,~^�Ä0\�Ý}

l�c�£ã¥�±��§���1��ªþd����?3��?Ú�ª¤û½§=Ê�|�1��

Ú1��"�.��9C2?�C3?ü��?§©O^1Ú2L«§¿���ÄFS!PS!CO!OS!TRÊ��ª§

©O^1!2!3!4!5L«"

��3$1L§¥¬Øä��#MA�L"·�b½��3$1���«ã��§¬�TCC£C3?e

�RBC¤��#�«ã§uÑch ma2£ch ma3¤&Ò§TCC£RBC¤��T����§ò�w��#N� �

)¤#�MA§¿�uxch ma2 conf (ch ma3 conf)Ú#�MA���§XTCC¥�[£ÚRBC¥�[£1¤

«"���Â�#�MA��òCX�kMA"

��¬Øä�â8c�MAO���k�\�Ý��§O�Ì��â���üa­�µ

1. ·��Ý­�£SSPµStatic Speed Profile¤

dz�«ã�¤k�p�Ý��|¤§�);:�Ä0\�ÝÚ~^�Ä0\�Ýü��Ý��;

2. Ä��Ý­�£DSPµDynamic Speed Profile¤

�);:�Ä0\­�Ú~^�Ä0\­�§dMA�8IålÚ·��Ý­�O� 5"��3

$1�L§¥?¿��I�yØU��·��Ý­�"XJ��3?¿��Ø�LÏL�â·��Ý

­�O����Ä��Ý­�§l (���3$1L§¥Ø¬��·��Ý­�"Ä��Ý­�

��)üöµ

;:�Ä0\­�(EBIµEmergency brake intervention): ´�â8IålÚ;:�Ä0\�ÝO

� 5��Ý­�§XJ���c�Ý�Ñ;:�Ä0\­�§��Ò�±��~�Ý?1;

:�Ķ

9

~^�Ä0\­�(SBIµService brake intervention): ´�â8IålÚ~^�Ä0\�ÝO�

5��Ý­�§XJ��8c��Ý�Ñ~^�Ä0\­�§@o���±~^�Ä~�Ý?

1�Ä"

XJ����c�Ývk�Ñ~^�Ä0\­�§@oÒr���\�Ý���~^�Ä~�ݱ

9��\��m�,��"

3�.¥·�¦^out¼êO����c´Ä�LEBI½öSBI"XJ�LEBI§KCþeout����1§

XJ�LSBI§KCþsout����1§3���[£¥©O�weoutÚsout����\�Ý�a"��3$

1¥�z��Ñ�O�Pk�¤kMA«ã�~^�Ä0\­�Ú;:�Ä0\­�§z�:þ�¤kMA«

ã�;:�Ä0\­�éA ��������c�;:�Ä0\�ݧ�¤kMA«ã�~^�Ä0\­

�éA ��������c�~^�Ä0\�ݧù�U\/¤T«ã�;:�Ä0\­�Ú~^�Ä

0\­�§�=��$1¥�z��ÑØ�±��8cPk�?Û��MA«ãO����;:�Ä0\­

�Ú~^�Ä0\­�§ù�(�XJ��3ù�«ã�~$1§Òج��e�«ãå:��Ýþ�"

ã4´��kn�MA«ã�~f§d:s1§s2§s3©m"ù�~f¥§·�b�����«ã���­�

ª:�Ý�"§Ïd��XJØUYÿÐ���MA«ã�L§��ÒI�3s3:Êe"ã¥�8^��©O

�Ln�MA«ã�·��Ý­�§8^­�£���ã�;:�Ä0\­�Ú~^�Ä0\­�­Ü§Ï�

":�;:�Ä0\�ÝÚ~^�Ä0\�ÝÑ´0¤©O�Ln�MA«ã�g�âþãúªO����

;:�Ä0\­�Ú~^�Ä0\­�"�âXeúª?1O�Ä�­�v2 + 2b s < next(seg).v21 + 2b seg.s,

ùp�next(seg)�L��e���$1�MA«ã§b�L;:�Ä\�ݧseg.s�Lù�ãMA«ã�ª:

 �"

3.2 �?=�

�?=�´��XÚ�Ì�õU��§��dC2?�´?\C3?�´§I�3�½/:?1=�"�?

=�c§A�¤�ó��)5þ�GSM-R�ä!�RBCïáÏ&¬{!lRBC¼�XÚ��ëêÚ1�N

��&E"��C3?��^�ä��§�1��gÄ=\C3?ó�"Xã5¤«"Ì�L§Xeµ

1. ���GSM-Rïáë�§�RBCïáÏ&¬{

lC2?��=��C3?��ÄkAïá�1���GSM-R�Ï&ë�"

�1���GSM-R�äïáë��§lC2?=��C3?Aïá�1���RBC�Ï&¬{§�d

3=�«\�?��RBCë�A�ì|£RE¤§TA�ì|A��C���ux^uïáÏ&¬{�

·-"�����U?\ØÏ C3?�©|§ù��ÿAT����·-��'4Ï&¬{�A�ì

|(RT)"

2. ¼�1�N�

C3?XÚA��ý�?\C3?«����Jø1�N�"C3?XÚ3�=�>.c��?´�«

���^u��1��JøO(?´�?m=�ýwA�ì|£LTA¤"���càÏLýwA�ì|

£LTA¤�§�1���RBC�w�� �§RBCâd(½���C�O(?´§,��âC3?��«

�é£?´&E§��1��Jø�)�´ëê�1�N�£MA¤9?m=�·-"��3��=�

>.c©ªdC2?XÚ��§�1��ò;�dc¼��C3?1�N�£MA¤¿3ÙÏLC2/C3?>

.¿=��C3?XÚ���¦^"3¼�1�N���?=��1ùãÏmS§��¬É�C2ÚC3?

1�N�����"

10

3. �1�?=�

���càÏLC2/C3?>.§�âRBC�·-¿ä�C3?XÚ��^��§�1��ògÄ=

�C3?��"3C2/C3?m=�>.��=��1A�ì|£LTO¤���ux�E"��±3�?=

�>.��U±C2?�p#N�Ý$1§C2?XÚ�1�N�7L�LC2/C3?>.������~

^�Äål"��3C3?XÚ��L§¥§C2?�1����ü�?u��ó�G�§Øé��k�

��^"

ã6¥Train�¬Ð«�?=�|µ§T�¬¥�o�G�©O�L��3$1�RE�c§RE�LTA�

m§LTA�LTO�m§��LLTO��o��ã"1���ã¥���~éÄ$1§����REïáë�"1

���㥧��®²�RBCÏLGSM-R�äïáë�§���RBC�w8c �§¿�Â�RBCu

x��?=�ý�:Ú�?=��1: �§��UY3C2?MA��e§������LTA"1n��ã

¥§��®²�Â�RBCu5�MA§��m©É�C2?ÚC3?��Ó��§����LTO"�´du�?

=��U¤õ?\C3?§��U�}�±3C2?§¤±1o��ã¬kü«�¹§·�^CþTTFAIL5I

«§XJ�trueKI�X�?=��}§��UY3C2?e¡$1§XJ�falseKI�X�?=�¤õ§�

�?\C3?$1"

3.3 �ª=�

C2?�C3?��ª=�k�ØÓ�1��ª§ù��!·�ò©O�[0�C2?e¡ÚC3?e¡�

�ª=�"

1. C2?�ª=�

���"��´êâ§B�?\PS�ª"����Â��1�N��ª�OS�§��B�±=\OS§

=\�^�´��3�OS«ã"Ê�§w«8À1��§�iÅUØ8À1���§B�±=\OS�

ª"·�¦^���¬�iÅ�¬uÑch os app&Ò§iÅ�¬3Â�������¬�£ch os conf&

Ò5�[OS�ª�8À1���¦L§"��´êâ���§�����Â�FS�ª�1�N�Ò�

±=\FS�ª"ã6¥I1!I2!I3þ¢yù�ª=�"

2. C3?�ª=�

����Â��1�N��ª�CO�§��B�±=\CO§=\�^�´���Ýü$�ÎÜCO

�ª�Y²§¿�iÅ?1(@"·�¦^���¬�iÅ�¬uÑch co app&Ò§iÅ�¬3Â�

������¬�£ch co conf&Ò5�[CO�ª�8À1���¦L§"����Â��1�N�

�ª�OS�§��B�±=\OS§=\�^�´��3�OS«ã"Ê�§w«8À1��§�iÅ

UØ8À1���§B�±=\OS�ª, (@1���[�ª�C2?��"��´êâ���§�

��Â�FS�ª�1�N�B�±=\FS�ª"���$1�L�?=�:�Ó��Â�RBCux�

 áMA·-§gÄ=�C3?e�TR�ª§ù���?1;:�ħ��Ê3�?=�:���,�

:"I4¢yù�ª=�"

4 �[(J

þã�.�¹13Ù!£ã�¤k|µ§ÏL?U�.ë꧷��±�[ØÓ�|Ü�¹"I�?U�ëê�)Xeü��¡µÏL?UMAЩ�5?U;�ëê&E§l éØÓ�|Ü�¹?1�ý¶ÏL?U�ý~ê£L1��ý~ê�L¤ò�.�1�(½z"L1 �ý~ê�L

11

v21§v22§v23§v24 L«C2?4�MA«ã�;:�Ä0\�Ý

vr21§vr22§vr23§vr24 L«C2?4�MA«ã�~^�Ä0\�Ý

s21§s22§s23§s24 L«C2?4�MA«ã�8Iål

mode21§mode22§mode23§mode24 L«C2?4�MA«ã��ª

v31§v32§v33§v34 L«C3?4�MA«ã�;:�Ä0\�Ý

vr31§vr32§vr33§vr34 L«C3?4�MA«ã�~^�Ä0\�Ý

s31§s32§s33§s34 L«C3?4�MA«ã�8Iål

mode31§mode32§mode33§mode34 L«C3?4�MA«ã��ª

CON LOST Ù��§I«C2?e8À1��(@�E´Ä�~D�C3?��ì

C2?4�ЩMA«ãÚC3?4�ЩMA«ã �¿Ø��§ëìã5¥w«"C2?MAlRE�cm©§

�´C3?MAl²LLTA��m©§ùL«�k3²LLTA����â�Â�C3?MA¿�é���$1å

����^"

|^ïáÐ��.§·�éÜ©|Ü�¹?1�[�ý§(JXã7¤«"ã7d12Ìfã�¤§zÌ

fã£ã��|Ü�¹�$1(J"zÌfãî¶þL«�m§p¶��ý&Ò�ê�(J§ã¥o¢�

L«��¤3 �£ü �150m¤��m�Cz�¹§[¢�L«��$1�Ý£ü �m/s¤��m�C

z�¹§DÕJ�L«���~^�Ä0\­�§;�J�L«��¤?�?£10L«?uC2?§15L«?

uC3?¤��mCz�¹"

1. C2→C3&&OS→TRµ

��[T|Ü�¹§·�òC2?MA�ªþ���OS¶C3?MA11ã�ª���OS§�3ã�ª

���TR"

�ý(JXã7-1¤«§��3�?=�:�c�ìC2?OS�ª$1§�L�?=�:��á=?

\TR�ª§��;:á�§Ê3�?=�:��,?"

2. C2→C3&&OS→COµ

��[T|Ü�¹§·�òC2?MAc3ã�ª���OS§14ã��ª���PS¶Ó�òC3?MA

11ã�ª���OS§�3ã�ª���CO"

�ý(JXã7-2¤«§��3�?=�:�c�ìC2?OS�ª$1§�ìMA�½��=\C3?CO

�ª§�´3C2?eÃ{w«��3C3?=\CO7L�w«�(@�§¤±iÅÃ{é?\C3?CO�

ª?1(@§Ïd=\CO�ª�}§��3�?=�:?Ê�"�´du��k�AS���§ù«

�¹e���?=��}§����UY�ìC2?PS�ª$1"

3. C2→C3&&OS→FSµ

��[T|Ü�¹§·�òC2?MAc3ã�ª���OS§14ã�ª���FS¶C3?MA11ã�

ª���OS§�3ã�ª���FS"

�ý(JXã7-3¤«§��3�?=�:�c�ìC2?OS�ª$1§�L�?=�:��=\C3?

�ìFS�ª$1"

4. C2→ C3&&PS→ OSµ

��[T|Ü�¹§·�òC2?MAc3ã�ª���PS§14ã�ª���OS¶C3?MA11ã

�ª���FS§�3ã�ª���OS"��[8À1��(@�ElC2?D4�C3?¤õ��¹§

12

·���CON LOST�true§��[8À1��(@�ElC2?D4�C3?�}��¹§·��

�CON LOST�false"

8À1��(@�ElC2?D4�C3?¤õ��ý(JXã7-4¤«§��3�?=�:�c�

ìC2?PS�ª$1§3�?=�:Ê�§w«8À1��§iÅ(@�§¤õ=\C3?OS�ª§��

UY$1"8À1��(@�EvklC2?DÂ�C3?e��¹Xã7-5¤«µ��3�?=�:�c

�ìC2?PS�ª$1§3�?=�:Ê�§w«8À1��§iÅ�(@�§(@�E�£�C2?�

�ì§�´du�æ§(@�E�UD4�C3?��ì§�ª=�ؤõ§Ê3�?=�:"

5. C2→ C3&&PS→ COµ

��[T|Ü�¹§·�òC2?MAc3ã�ª���PS§14ã�ª���CO¶C3?MA11ã

�ª���FS§�3ã���CO"

T|µ�ý(JXã7-6¤«§��3�?=�:�c�ìC2?PS�ª$1§�ìMA�½���=

\C3?CO�ª§�´3C2?eÃ{w«��3C3?=\CO7L�w«�(@�§¤±iÅÃ{é?

\C3?CO�ª?1(@§Ïd=\CO�ª�}§��3�?=�:?Ê�"

6. C2→ C3&&PS→ TRµ

��[T|Ü�¹§·�òC2?MA�ªþ���PS¶C3?MA11ãMA�ª���FS§�3ã�

��TR"

(JXã7-7¤«§��3�?=�:�c�ìPS�ª$1§�L�?=�:��á=?\TR�ª§

��;:á�§Ê3�?=�:��,?"

7. C2→ C3&&PS→ FS

��[T|Ü�¹§·�òC2?MA�ªc3ã���PS§14ã���FS¶C3?MA�ªþ��

�FS"

(JXã7-8¤«§��3�?=�:�c�ìC2?PS�ª$1§�L�?=�:��=\C3?�

ìFS�ª$1"

8. C2→C3&&FS→TRµ

��[T|Ü�¹§·�òC2?MA�ªþ���FS¶C3?MA11ã�ª���FS§�3ã�ª

���TR"

(JXã7-9¤«§��3�?=�:�c�ìFS�ª$1§�L�?=�:��á=?\TR�ª§

��;:á�§Ê3�?=�:��,?"

9. C2→C3&&FS→OSµ

��[T|Ü�¹§·�òC2?MAc3ã�ª���FS§14ã�ª���OS¶C3?MA11ã

�ª���FS§�3ã�ª���OS"��[8À1��(@�ElC2?D4�C3?¤õ��¹§

·���CON LOST�true§��[8À1��(@�ElC2?D4�C3?�}��¹§·��

�CON LOST�false"

8À1��(@�ElC2?D4�C3?¤õ��ý(JXã7-10¤«§��3�?=�:�c�

ìC2?FS�ª$1§3�?=�:Ê�§w«8À1��§iÅ(@�§¤õ=\C3?OS�ª§��

UY$1"8À1��(@�EvklC2?DÂ�C3?e��¹Xã7-11¤«µ��3�?=�:�

13

c�ìC2?FS�ª$1§3�?=�:Ê�§w«8À1��§iÅ�(@�§(@�E�£�C2?

��ì§�´du�æ§(@�E�UD4�C3?��ì§�ª=�ؤõ§Ê3�?=�:"

10. C2→C3&&FS→COµ

��[T|Ü�¹§·�òC2?MAc3ã�ª���FS§14ã�ª���CO ¶C3?MA11ã

�ª���FS§�3ã�ª���CO"

(JXã7-12¤«§��3�?=�:�c�ìC2?FS�ª$1§�ìMA�½���=\C3?CO

�ª§�´3C2?eÃ{w«��3C3?=\CO7L�w«�(@�§¤±iÅÃ{é?\C3?CO�

ª?1(@§Ïd=\CO�ª�}§��3�?=�:?Ê�"

nþ¤ã§·�ÏLéþã10��µ?1�[�ý§·�uyÜ©�µ¥¬ÑyØ�~Ê�½�?=�

�}��¹§äNXL2¤«"

L2 |Ü�¹(J

C2→C3&&OS→TR �~Ê�

C2→C3&&OS→CO �?=��}

C2→C3&&OS→FS �~$1

C2→C3&&PS→OS �UØ�~Ê�

C2→C3&&PS→CO Ø�~Ê�

C2→C3&&PS→TR �~Ê�

C2→C3&&PS→FS �~$1

C2→C3&&FS→TR �~Ê�

C2→C3&&FS→OS �UØ�~Ê�

C2→C3&&FS→CO Ø�~Ê�

5 /ª�y

dL2��§3Ü©|Ü�¹e¬ÑyÊ�y�", §du�ý=UÀJ�«XÚ��U$1�¹?1

w«§¿ØUL²XÚ�¤k$1�¹"~X§3·���.¥§iÅ�1�äké²(�(½5§=[�

ÀJ¤k�U\�Ýp¡���\�Ý?11�"l,«¿Âþ`§·��±ßÿùùÀJ´»���x

�1��ª§�´»��Ø�UÊ���¹", §du�ý�)è5�Ø��5§·�éÙ¥PS�CO�

�¹��.=z�HCSP?§§¿|^Ù½ny²ìHHL Prover?1y²"ÏLy²·�(@ù«�

¹´¬u)Ø�~Ê��"

3y²L§¥§du·�='%PS�CO�ª=z��¹§3·��y��.¥·�ò�dØ�'�Ü

©SN?1{z?n"ÏL¦^óäSim2HCSP[20, 19]§·�¼�T�.�HCSP�?§§§�)7�©

�§©OéAuSimulinkÚStateflow�Cþ½Â!?§½Â!äó½Â!Ú�ª�y²8I"ù©���

k13511§��N�1"3HHL Prover¥§·�y²�(ØXeµ

lemma goal : {T,T,T,T,T,T} P {plant s 1 ≤ 4000,T,T,T,T,T;(l = 0) |(high (plant s 1≤4000)),T,T,T,T,T}"�[y²�N�2. lT(Ø¥§·��±�Ñ»�� �plant s 1©ªØU�L4000�§=»�¬Ê�"

6 o(��5�ó�

3ù�©Ù¥§·�¦^Simulink/Stateflowép�c´��XÚ�1�N�!�?,?9Ü©�ª=�

14

7-1 C2→C3&&OS→TR 7-2 C2→C3&&OS→CO 7-3 C2→C3&&OS→FS 7-4 C2→C3&&PS→OS¤õ

7-5 C2→C3&&PS→OS�} 7-6 C2→C3&&PS→CO 7-7 C2→C3&&PS→TR 7-8 C2→C3&&PS→FS

7-9 C2→C3&&FS→TR 7-10 C2→C3&&FS→OS¤õ 7-11 C2→C3&&FS→OS�} 7-12 C2→C3&&FS→CO

ã7. �[(J

|µ?1ï�"T�.äkÊ·5§ÏL?Uëê&E§�±éØÓ��?=�±9�ª=��|Ü�¹

?1�[�ý"ÏL¦^T�.·�é10�|Ü�¹?1�[�ý§��uy3,�¹e�U¬Ñy

Ø�~Ê�½ö�?=��}�y�"¿��Ù¥C2?→C3?&&PS→CO��¹?1/ª�y§(Jy

²��¬3�?=�:Ø�~Ê�"±þó�òkÏu��U?p�c´��XÚ5�"

8�·�F"3T�.¥\\RBC���|µ§¦�.�\�õ§l �±é�\E,�p�c´��

XÚ$1�¹?1�[�ý§¿? Ué¤k��U�3¯K�|µ?1/ª�y"¿�¬?�Ú�õ

�yóä§AO´|^Simulink/Stateflow�¬½���¡�p�����XÚ�ã/zï��ó"

�z

[1] /7§7S°. ETCSXÚ©Û9CTCS�ïÄ. Å�>DÄ, 6(1):3, 2004.

[2] ÿ�. ;��Ï��$1��XÚ�/ªzï�Ú�.u��{ïÄ. �®�Ï�Æ, 6, 2006.

[3] ÜÜ1. CTCS-3?��XÚoNEâ�Y. ¥Ic�Ñ��, 2008.

[4] MXu§ëùr§/7. ÄukÚPetri��ETCSÃ�Ï&��5©Û. c�Æ�, 30(1):38–42, 2008.

[5] Simulink User’s Guide, 2013. http://www.mathworks.com/help/pdf doc/ simulink/sl using.pdf.

[6] Stateflow User’s Guide, 2013. http://www.mathworks.com/help/pdf doc/ stateflow/sf ug.pdf.

[7] R. Alur and D. L. Dill. A theory of timed automata. Theoretical computer science, 126(2):183–235, 1994.

15

[8] K. Berkenkotter, S. Bisanz, U. Hannemann, and J. Peleska. The HybridUML profile for UML 2.0. International

Journal on Software Tools for Technology Transfer, 8(2):167–176, 2006.

[9] G. Berry. Synchronous design and verification of critical embedded systems using SCADE and Esterel. Lecture

Notes in Computer Science, 4916:2–2, 2008.

[10] G. Berry and G. Gonthier. The Esterel synchronous programming language: Design, semantics, implementation.

Science of computer programming, 19(2):87–152, 1992.

[11] M. S. Erik, E. Hilding, and O. Martin. Physical system modeling with modelica. Control Engineering Practice,

6(4):501–510, 1998.

[12] J. He. From CSP to hybrid systems. In A Classical Mind, Essays in Honour of C.A.R. Hoare, pages 171–189.

Prentice Hall International (UK) Ltd., 1994.

[13] T. A. Henzinger. The theory of hybrid automata. Springer, 2000.

[14] J. Liu, J. Lv, Z. Quan, N. Zhan, H. Zhao, C. Zhou, and L. Zou. A calculus for hybrid CSP. In APLAS’10, pages

1–15. Springer, 2010.

[15] C. Zhou and M. R. Hansen. Duration Calculus - A Formal Approach to Real-Time Systems. Monographs in

Theoretical Computer Science. An EATCS Series. Springer, 2004.

[16] C. Zhou, C.A.R. Hoare, and A. P. Ravn. A calculus of durations. Information Processing Letters, 40(5):269–276,

1991.

[17] C. Zhou, J. Wang, and A. P. Ravn. A formal description of hybrid systems. In Hybrid systems, LNCS 1066, pages

511–530. Springer, 1996.

[18] L. Zou, J. Lv, S. Wang, N. Zhan, T. Tang, L. Yuan, and Y. Liu. Verifying Chinese train control system under a

combined scenario by theorem proving. In VSTTE’13, to appear in LNCS. 2013.

[19] L. Zou, N. Zhan, S. Wang, and M. Franzle. Formal verification of simulink/stateflow diagrams. Technical Report

ISCAS-SKLCS-13-07, State Key Lab. of Computer Science, Institute of Software, Chinese Academy of Sciences,

2013.

[20] L. Zou, N. Zhan, S. Wang, M. Franzle, and S. Qin. Verifying simulink diagrams via a hybrid hoare logic prover. In

EMSOFT, pages 1–10, 2013.

A N�

A1. =����.0�Sim2HCSPóä=z���.�¹4 + 3 ∗n�©�§Ù¥n´Simulinkã¥Stateflowã��ê"ù©�¥

o�©�^u½ÂSimulink㥦^�Cþ!=z�HCSP�.¥¦^�äó!=z��.�½Â±9�ª�y²©�",§éAuz�Stateflowã§Sim2HCSP¬)¤n�©�©O½ÂTStateflow㥦^�Cþ!=z�éAHCSP�.±9T�.¥¦^�äó"3·�ïá��.¥§·�¦^��Stateflowã"Ïd§)¤�©��¹7�©�§¦�©O´µ

controlPDef.thy!controlADef.thy!controlVarDef.thy!varDef.thy!assertionDef.thy!processDef.thyÚgoal.thy"assertionDef.thy!controlADef.thyÚgoal.thyÌ��y²L§�'§ò3e�Ù!0�§ù�Ù!�{SNò0��{o�©��Ì�SN"

varDef.thyÌ�(�Xe§Ì�½Â�Y©�¥¦^L�Cþ½Â§�)Ï�¶!ÛÜCþ!uxCþ±9�ÂCþ"

16

theory varDefimports ”HHL”

begin

(∗Def ine channel names . ∗ )d e f i n i t i o n Ch plant v 1 1 : : cname where” Ch plant v 1 1 == ’ ’ Ch plant v 1 1 ’ ’ ”. . .

(∗Def ine r e c e i v i n g v a r i a b l e s . ∗ )d e f i n i t i o n p l a n t v 1 1 : : exp where” p l a n t v 1 1 == RVar ’ ’ p l ant v 1 1 ’ ’ ”. . .

(∗Def ine l o c a l and sending v a r i a b l e s . ∗ )d e f i n i t i o n p l an t v 1 : : exp where” p l an t v 1 == RVar ’ ’ p lant v 1 ’ ’ ”d e f i n i t i o n p l a n t s 1 : : exp where” p l a n t s 1 == RVar ’ ’ p l an t s 1 ’ ’ ”. . .

end

processDef.thyÌ�(�Xe§Ì�½Â=z��HCSP�.��Nµe§Tµe�¹StateflowãéA�HCSP?§Pcontrol"

theory proces sDe fimports ” contro lPDef ”

begin

(∗Def ine cont inuous p r o c e s s e s ∗). . .d e f i n i t i o n PC1 init : : proc where” PC1 ini t == PC1 1 ; a s s e r t i o n 2 ; PC1 2”d e f i n i t i o n PC1 rep : : proc where”PC1 rep == PC1 3 ; a s s e r t i o n 3 ; PC1 4”d e f i n i t i o n PC1 : : proc where”PC1 == PC1 init ; a s s e r t i o n 4 ; ( PC1 rep )∗”

(∗Def ine the whole p roce s s . ∗ )d e f i n i t i o n P : : proc where”P == PC1 | | Pcontro l ”end

controlVarDef.thyÌ�(�Xe§Ì�½ÂStateflowãéA�HCSP?§¥¦^�Cþ"

theory contro lVarDefimports ” a s s e r t i o n D e f ”

begin

(∗Def ine channel names . ∗ )d e f i n i t i o n BC 1 : : cname where”BC 1 == ’ ’ BC 1 ’ ’ ”d e f i n i t i o n BR 1 : : cname where”BR 1 == ’ ’ BR 1 ’ ’ ”d e f i n i t i o n BO 1 : : cname where”BO 1 == ’ ’BO 1 ’ ’ ”d e f i n i t i o n VO1 : : cname where”VO1 == ’ ’VO1’ ’ ”d e f i n i t i o n VI1 : : cname where”VI1 == ’ ’ VI1 ’ ’ ”d e f i n i t i o n vBO1 : : exp where”vBO1 == SVar ’ ’vBO1’ ’ ”. . .

(∗Def ine event v a r i a b l e s a s s i s t e n t . ∗ )

17

cons t s eL : : ”exp l i s t ”cons t s nL : : ”exp l i s t ”(∗Def ine event v a r i a b l e s . ∗ )d e f i n i t i o n E1 : : exp where”E1 == SVar ’ ’E1 ’ ’ ”d e f i n i t i o n done1 : : exp where”done1 == RVar ’ ’ done1 ’ ’ ”. . .”E == SVar ’ ’E’ ’ ”d e f i n i t i o n num : : exp where”num == RVar ’ ’num’ ’ ”d e f i n i t i o n EL : : exp where”EL == L i s t eL”d e f i n i t i o n NL : : exp where”NL == L i s t nL”(∗Def ine l o c a l and sending v a r i a b l e s . ∗ )d e f i n i t i o n s : : exp where” s == RVar ’ ’ s ’ ’ ”d e f i n i t i o n v : : exp where”v == RVar ’ ’ v ’ ’ ”d e f i n i t i o n a : : exp where”a == RVar ’ ’ a ’ ’ ”d e f i n i t i o n CONFR : : exp where”CONFR == RVar ’ ’CONFR’ ’ ”. . .

end

controlPDef.thyÌ�(�Xe§Ì�½ÂStateflowãéA�HCSP?§§T?§����?§¦^u�NHCSP�.processDef¥"Ù¥§?§Pcontrol7½Â����?§§ u£ãStateflowã��Â"Pcontrol11!Pcontrol14 !Pcontrol86 ÚPcontrol89©O½ÂRBC!TCC!��XÚÚiÅ�1�"

theory contro lPDefimports ” controlADef ”

begin

(∗Def ine the p r o c e s s e s f o r MATLAB f u c t i o n s . ∗ )d e f i n i t i o n Fcontro l1 : : proc where” Fcontro l1 ==e31 := e32 ; assSF1 ;e32 := e33 ; assSF2 ;e33 := ( e33 [+] ( Real 3200 0 ) ) ; assSF3 ;v311 := v321 ; assSF4 ;v312 := v322”. . .d e f i n i t i o n FMA3 : : proc where”FMA3 == Fcontro l1 ; assSF10 ; Fcontro l2 ; assSF11 ; Fcontro l3 ”. . .d e f i n i t i o n Pcontro l7 : : proc where” Pcontro l7 == ( (num:=( Real 0 ) ; assSF92 ;E:=( St r ing ’ ’ ’ ’ ) ; assSF93 ; ( a :=( Real 0 ) ) ) ;assSF94 ; Ch cont ro l 1 0 ! ! a ) ;assSF95 ; ( Pcontro l1 ; assSF96 ; Pcontro l2 ; assSF97 ;Pcontro l3 ; assSF98 ; Pcontro l4 ; assSF99 ; Pcontro l5 ; assSF100 ; Pcontro l6 )∗”d e f i n i t i o n Pcontro l8 : : proc where” Pcontro l8 == IF ( ( done2 [= ] ( Real 0 ) ) [ & ] E2 [= ] ( S t r ing ’ ’LUA’ ’ ) )(actRBC:=( Real 0 ) ; assSF101 ; actRBC:=( Real 1 ) ;assSF102 ; BR 2 ! ! ( S t r ing ’ ’LU’ ’ ) ; assSF103 ; done2 :=( Real 1) )”d e f i n i t i o n Pcontro l9 : : proc where” Pcontro l9 ==IF ( ( done2 [= ] ( Real 0 ) ) [ & ] E2 [= ] ( S t r ing ’ ’MAA3’ ’ ) )(actRBC:=( Real 0 ) ; assSF104 ; actRBC:=( Real 1 ) ;assSF105 ; BR 2 ! ! ( S t r ing ’ ’MAA3c’ ’ ) ; assSF106 ; done2 :=( Real 1) )”d e f i n i t i o n Pcontro l10 : : proc where

18

” Pcontro l10 == done2 :=( Real 0)”d e f i n i t i o n Pcontro l11 : : proc where” Pcontro l11 == Pcontro l10 ; assSF107 ;(BC 2??E2 ; assSF108 ; ( Pcontro l8 ; assSF109 ; Pcontro l9 ;assSF110 ; done2 :=( Real 0 ) ) ; assSF111 ; BO 2 ! ! ( S t r ing ’ ’ ’ ’ ) )∗”d e f i n i t i o n Pcontro l12 : : proc where” Pcontro l12 == IF ( ( done3 [= ] ( Real 0 ) ) [ & ] E3 [= ] ( S t r ing ’ ’MAA2’ ’ ) )

(actTCC:=( Real 0 ) ; assSF112 ; actTCC:=( Real 1 ) ;assSF113 ; BR 3 ! ! ( S t r ing ’ ’MAA2c’ ’ ) ; assSF114 ; done3 :=( Real 1) )”

d e f i n i t i o n Pcontro l13 : : proc where” Pcontro l13 == done3 :=( Real 0)”d e f i n i t i o n Pcontro l14 : : proc where” Pcontro l14 == Pcontro l13 ; assSF115 ; ( BC 3??E3 ; assSF116 ;( Pcontro l12 ; assSF117 ; done3 :=( Real 0 ) ) ; assSF118 ; BO 3 ! ! ( S t r ing ’ ’ ’ ’ ) )∗”. . .d e f i n i t i o n Pcontro l86 : : proc where” Pcontro l86 == Pcontro l85 ; assSF355 ;(BC 1??E1 ; assSF356 ; ( Pcontro l84 ; assSF357 ;done1 :=( Real 0 ) ) ; assSF358 ; BO 1 ! ! ( S t r ing ’ ’ ’ ’ ) )∗”d e f i n i t i o n Pcontro l87 : : proc where” Pcontro l87 == IF ( ( done4 [= ] ( Real 0 ) ) [ & ] E4 [= ] ( S t r ing ’ ’CONFR’ ’ ) )

( ac tDr ive r :=( Real 0 ) ; assSF359 ; ac tDr ive r :=( Real 1 ) ;assSF360 ; BR 4 ! ! ( S t r ing ’ ’CONF’ ’ ) ; assSF361 ; done4 :=( Real 1) )”

d e f i n i t i o n Pcontro l88 : : proc where” Pcontro l88 == done4 :=( Real 0)”d e f i n i t i o n Pcontro l89 : : proc where” Pcontro l89 == Pcontro l88 ; assSF362 ;(BC 4??E4 ; assSF363 ; ( Pcontro l87 ; assSF364 ; done4 :=( Real 0 ) ) ;assSF365 ; BO 4 ! ! ( S t r ing ’ ’ ’ ’ ) )∗”d e f i n i t i o n Pcontro l : : proc where” Pcontro l == Pcontro l7 | | Pcontro l11 | | Pcontro l14 | | Pcontro l86 | | Pcontro l89 ”end

A2. ½ny²�y²�'�©�Ì��)assertionDef.thy!controlADef.thy Úgoal.thyùn�©�"du©�

assertionDef.thyÚcontrolADef.thy=Jø�\äó±9Ïy²§·�3±e0�¥ò�Ñùü�©�"±e�y²©��Ì�(�"

(∗Goal f o r the whole p roce s s . ∗ )lemma goa l : ”{WTrue , WTrue , WTrue , WTrue , WTrue ,WTrue} P{( p l a n t s 1 [<=]( Real 4000) ) ,WTrue , WTrue , WTrue , WTrue ,WTrue ;( l [=] Real 0) [ | ] ( high ( p l a n t s 1 [<=]( Real 4000 ) ) ) ,WTrue , WTrue , WTrue , WTrue ,WTrue}”

(*ÏL±ey²§òy²8Iy©�Щzy²L§Ú­EO�ü�L§*)

apply ( simp add : P def )apply ( simp add : PC1 def Pcon t ro l d e f )apply ( simp add : Pcont ro l 7 de f Pcont ro l 11 de fPcont ro l 14 de f Pcont ro l 86 de f Pcont ro l 89 de f )apply ( simp add : a s s e r t i o n 4 d e f assSF95 de fassSF107 def assSF115 def assSF355 def assSF362 def )apply ( c u t t a c Ha=”HisP1” and Hb=”WTrue” and Hc=”WTrue”and Hd=”WTrue” and He=”WTrue” and Hf=”WTrue” in Para l l e lSeq6 , auto )d e f e r d e f e rapply ( simp add : HisP1 def )apply ( r u l e impR , r u l e LL3a , r u l e ba s i c )apply ( r u l e Trans , auto)+d e f e r

19

(*y²Ð©zL§÷v5��¦*)­E¦^¿u5K! S|Ü5K!ÚD��é5Ky²T5�"(*y²­EL§÷v5��¦*)

1. ¦^­E�é£repetition statement¤�5K��y²8I¥�­EÜ©¶

2. ¦^¿uÏÕ5K��y²8I¥�ÏÕ¶

3. 8¥y²�{��â5�§TÜ©(�»�ج�L8I:"

20