In 2002, Hamburg finished the fourth tunnel of the Elbtunnel (tunnel in the west of the city) which should mitigate the traffic density on this track. Because OHV's (overhigh vehicles - higher than 4m) as trucks couldn't pass thetunnel up to then, this tunnel is constructed in the way, that these vehicle can pass it, as well

 

System Description:

Because of this, OHV's must not drive through one of the other tunnels but only through this fourth one. Thus, it is installed an detection and alarm system to detect false driving OHV's, to raise an alarm in such case and to protect the tunnel by blocking it in case of an alarm.This case study only presents the track from the north to the south, which encompasses a right lane (leads through the new, fourth tunnel) and a left lane (leads through the one of the old, too low tunnel). Moreover, the model describes only the behavior up to the alarm.

To mitigate the number of false alarms the system consists of redundant control systems: a pre-, a post- and a final-control system which are located consecuitvely along the track (see figure above). The pre- and post-control system consists of two light barriers (L1, L2) that detect OHV's over both lanes. Thus, these barriers do not detect the exact position of an OHV. Because of this, the post-control system has two additional overhead microwave detectors (M1_L, M1_R) to distinguish between the left and the right lane. Unfortunatly, these overhead detectors cannot distinguish between overhigh and high vehicles. This is important, because high vehicles are allowed to drive through all tunnels. Thus, this might cause false alarms. The final control only has an overhad detector (M2_L) on the left lane (in front  of the too low tunnel).

By detecting an OHV, the pre-control system increases an OHV-counter by one and activates the post-control. If the post-control detects an OHV on the left lane (the "false" one), the system will raise an alarm. Otherwise, if an OHV is on the right lane (the "correct" one), the system activates the final control. In both cases, the system decreases the OHV-counter by one. If this counter is zero, the system deactives the post-control automatically. The final control will always raise an alarm if an OHV is detected on the left lane. The system deactivates both, the post- and the final-control, after 30 minutes when these controls do not detect any OHV. Two timers (T1, T2) trigger this deactivation for the post- and final-control, respectively.

SAML-Modelling:

The corresponding SAML-model not only represents the control system but also the environment, especially the movement of the vehicles on the lanes.

With respect to this, there exist two components that describe the random behavior of two OHV's. This is done, by modelling the positioning and the speed with probabilities.

Moreover, components also describe the current state of the control elements i.e. the light barriers, the overhead detectors, and the timers. Specific trigger events as alarms are modelled by formulas, because these express an immediate reaction.

The SAML-model expresses several failure modes e.g. mis-detection of an high but  not an overheigh vehicle by the overhead detectors as probabilisitc componets  too.

Why and What? In this section we give an overview over motivation and the core features of VECS.

Read more: Product

Am Donnerstag, dem 08.09.2016 veranstaltete der Lehrstuhl für Software Engineering der Otto-von-Guericke Universität Magdeburg unter Leitung von Prof. Dr. Frank Ortmeier mit großem Erfolg den dritten Expertenworkshop zum Thema „Anwendung innovativer modellbasierter Sicherheitsanalysemethoden im Zulassungsprozess sicherheitskritischer Anwendungen“.

Read More