Formal Verification of an Industrial Safety-Critical Traffic Tunnel Control System

  • Wytse OortwijnEmail author
  • Marieke HuismanEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11918)


Over the last decades, significant progress has been made on formal techniques for software verification. However, despite this progress, these techniques are not yet structurally applied in industry. To reduce the well-known industry–academia gap, industrial case studies are much-needed, to demonstrate that formal methods are now mature enough to help increase the reliability of industrial software. Moreover, case studies also help researchers to get better insight into industrial needs.

This paper contributes such a case study, concerning the formal verification of an industrial, safety-critical traffic tunnel control system that is currently employed in Dutch traffic. We made a formal, process-algebraic model of the informal design of the tunnel system, and analysed it using mCRL2. Additionally, we deductively verified that the implementation adheres to its intended behaviour, by proving that the code refines our mCRL2 model, using VerCors. By doing so, we detected undesired behaviour: an internal deadlock due to an intricate, unlucky combination of timing and events. Even though the developers were already aware of this, and deliberately provided us with an older version of their code, we demonstrate that formal methods can indeed help to detect undesired behaviours within reasonable time, that would otherwise be hard to find.



This work is partially supported by the NWO VICI 639.023.710 Mercedes project and by the NWO TOP 612.001.403 VerDi project.


  1. 1.
    Beers, R.: Pre-RTL formal verification: an intel experience. In: DAC, pp. 806–811 (2008).
  2. 2.
    Blanchard, A., Kosmatov, N., Lemerre, M., Loulergue, F.: A case study on formal verification of the anaxagoros hypervisor paging system with Frama-C. In: Núñez, M., Güdemann, M. (eds.) FMICS 2015. LNCS, vol. 9128, pp. 15–30. Springer, Cham (2015). Scholar
  3. 3.
    Blom, S., Darabi, S., Huisman, M., Oortwijn, W.: The VerCors tool set: verification of parallel and concurrent software. In: Polikarpova, N., Schneider, S. (eds.) IFM 2017. LNCS, vol. 10510, pp. 102–110. Springer, Cham (2017). Scholar
  4. 4.
    Bunte, O., et al.: The mCRL2 toolset for analysing concurrent systems. In: Vojnar, T., Zhang, L. (eds.) TACAS 2019. LNCS, vol. 11428, pp. 21–39. Springer, Cham (2019). Scholar
  5. 5.
    Calcagno, C., et al.: Moving fast with software verification. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NFM 2015. LNCS, vol. 9058, pp. 3–11. Springer, Cham (2015). Scholar
  6. 6.
    Clarke, E.M.: The birth of model checking. In: Grumberg, O., Veith, H. (eds.) 25 Years of Model Checking. LNCS, vol. 5000, pp. 1–26. Springer, Heidelberg (2008). Scholar
  7. 7.
    Cok, D.R.: Java automated deductive verification in practice: lessons from industrial proof-based projects. In: Margaria, T., Steffen, B. (eds.) ISoLA 2018. LNCS, vol. 11247, pp. 176–193. Springer, Cham (2018). Scholar
  8. 8.
    Filliâtre, J.: Deductive software verification. STTT 13(5), 397–403 (2011). Scholar
  9. 9.
    van Glabbeek, R., Höfner, P., Portmann, M., Tan, W.: Modelling and verifying the AODV routing protocol. Distrib. Comput. 29(4), 279–315 (2016). Scholar
  10. 10.
    de Gouw, S., Rot, J., de Boer, F.S., Bubel, R., Hähnle, R.: OpenJDK’s Java.utils.Collection.sort() is broken: the good, the bad and the worst case. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 273–289. Springer, Cham (2015). Scholar
  11. 11.
    Groote, J.F., Mousavi, M.R.: Modeling and Analysis of Communicating Systems. MIT Press, Cambridge (2014)CrossRefGoogle Scholar
  12. 12.
    Groote, J.F., Wijs, A.: An \(O(m\log n)\) algorithm for stuttering equivalence and branching bisimulation. In: Chechik, M., Raskin, J.-F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 607–624. Springer, Heidelberg (2016). Scholar
  13. 13.
    Huisman, M., Joosten, S.J.C.: Towards reliable concurrent software. Principled Software Development, pp. 129–146. Springer, Cham (2018). Scholar
  14. 14.
    Hwong, Y., Keiren, J., Kusters, V., Leemans, S., Willemse, T.: Formalising and analysing the control software of the compact muon solenoid experiment at the large hadron collider. SCP 78(12), 2435–2452 (2013). Scholar
  15. 15.
    mCRL2—Showcases. Accessed July 2019
  16. 16.
    Landelijke Tunnelstandaard (National Tunnel Standard). Accessed June 2019
  17. 17.
    Oortwijn, W., Blom, S., Gurov, D., Huisman, M., Zaharieva-Stojanovski, M.: An abstraction technique for describing concurrent program behaviour. In: Paskevich, A., Wies, T. (eds.) VSTTE 2017. LNCS, vol. 10712, pp. 191–209. Springer, Cham (2017). Scholar
  18. 18.
    Oortwijn, W., Blom, S., Huisman, M.: Future-based static analysis of message passing programs. In: PLACES, pp. 65–72 (2016). Scholar
  19. 19.
    Philippaerts, P., Mühlberg, J., Penninckx, W., Smans, J., Jacobs, B., Piessens, F.: Software verification with verifast: industrial case studies. SCP 82, 77–97 (2014). Scholar
  20. 20.
    Ruijters, E., Guck, D., van Noort, M., Stoelinga, M.: Reliability-centered maintenance of the electrically insulated railway joint via fault tree analysis: a practical experience report. In: DSN, pp. 662–669. IEEE Computer Society (2016).
  21. 21.
    Silva, R., de Oliveira, J., Pinto, J.: A case study on model checking and deductive verification techniques of safety-critical software. In: SBMF, Federal University of Campina Grande (2012)Google Scholar
  22. 22.
    The Technolution. Accessed June 2019
  23. 23.
    Wiggelinkhuizen, J.: Feasibility of formal model checking in the Vitatron environment. Master’s thesis, Eindhoven University of Technology (2007)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.University of TwenteEnschedeThe Netherlands

Personalised recommendations